Full Report
Cybersecurity researchers have discovered a major web skimming campaign that has been active since January 2022, targeting several major payment networks like American Express, Diners Club, Discover, JCB Co., Ltd., Mastercard, and UnionPay. "Enterprise organizations that are clients of these payment providers are the most likely to be impacted," Silent Push said in a report published today.
Analysis Summary
# Incident Report: Long-Running Web Skimming Campaign Targeting Payment Networks
## Executive Summary
A major, long-running web skimming campaign, active since January 2022, has been discovered targeting enterprise organizations utilizing major payment networks, including American Express, Mastercard, and Discover. Attackers injected obfuscated JavaScript code via compromised domains linked to malicious hosting providers, skillfully evading detection by checking for WordPress administrator interfaces. The campaign successfully harvested credit card details, PII, and shipping information from unsuspecting customers at checkout pages before exfiltrating the data.
## Incident Details
- **Discovery Date:** January 13, 2026 (Date of the report publication)
- **Incident Date:** Active since January 2022
- **Affected Organization:** Enterprise organizations that are clients of the targeted payment providers (American Express, Diners Club, Discover, JCB Co., Ltd., Mastercard, and UnionPay). Specific victims not disclosed.
- **Sector:** E-commerce / Financial Services (Merchants processing payments)
- **Geography:** Global (Implied by targeting major payment networks)
## Timeline of Events
### Initial Access
- **Date/Time:** At least January 2022
- **Vector:** Compromise of the supply chain, leading to the deployment of malicious code on Magento or other e-commerce platforms (Magecart-related activity).
- **Details:** Attackers leveraged hosting infrastructure associated with Stark Industries (now THE[.]Hosting) to host malicious JavaScript payloads on the domain `cdn-cookie[.]com`.
### Lateral Movement
- *Not explicitly detailed in the provided text; the attack appears focused on client-side/front-end compromise.*
### Data Exfiltration/Impact
- **Date/Time:** Ongoing throughout the lifecycle of the campaign.
- **Details:** The skimmer, disguised as "recorder.js" or "tab-gtm.js," presented a fake Stripe payment form to users after modifying the DOM. Victim credit card numbers, expiration dates, CVCs, names, phone numbers, email addresses, and shipping addresses were stolen. Data was exfiltrated via HTTP POST requests to the server `lasorie[.]com`.
### Detection & Response
- **Date/Time:** Leading up to the report published on January 13, 2026.
- **Details:** Silent Push discovered the campaign by analyzing the suspicious domain `cdn-cookie[.]com`, which was linked to known malicious hosting (Stark Industries/THE[.]Hosting).
## Attack Methodology
- **Initial Access:** Deployment of malicious JavaScript payload via external domain (`cdn-cookie[.]com`) loaded on e-commerce checkout pages.
- **Persistence:** Unknown for server-side component, but client-side persistence was initiated by setting a flag (`wc_cart_hash` in `localStorage` to "true") after a successful skim to prevent re-execution on the same victim.
- **Privilege Escalation:** Not applicable to client-side skimming context.
- **Defense Evasion:**
1. **Code Obfuscation:** Payloads were highly obfuscated.
2. **Admin Detection:** Initiates self-destruction if the WordPress admin bar element (`wpadminbar`) is detected in the DOM.
- **Credential Access:** User input captured via a fake payment form (UI spoofing).
- **Discovery:** Not applicable to client-side skimming context.
- **Lateral Movement:** Not applicable.
- **Collection:** Credit card details (PAN, Expiry, CVC), names, phone numbers, emails, and shipping addresses were captured upon form submission.
- **Exfiltration:** HTTP POST requests sent to `lasorie[.]com`.
- **Impact:** Data theft and session cleanup.
## Impact Assessment
- **Financial:** High potential for financial fraud due to widespread credit card compromise across major payment networks.
- **Data Breach:** Sensitive Payment Card Information (PCI) and Personally Identifiable Information (PII) are confirmed stolen. Volume is dependent on the number of targeted merchants and shoppers.
- **Operational:** Potential disruption or trust issues for affected enterprise organizations relying on compromised payment processors.
- **Reputational:** Significant reputational damage for targeted merchants, especially given the campaign's long duration (since 2022).
## Indicators of Compromise
- **Network Indicators:**
- `cdn-cookie[.]com` (Malicious distribution domain)
- `lasorie[.]com` (Exfiltration destination)
- **File Indicators:**
- `recorder.js` (Malicious payload filename)
- `tab-gtm.js` (Malicious payload filename)
- **Behavioral Indicators:**
- Modification of the web page DOM upon user interaction.
- Presence of JavaScript attempting to read input fields upon fake payment form submission.
- Presence of `wc_cart_hash` set to "true" in `localStorage`.
## Response Actions
- **Containment measures:** None explicitly reported, but implied steps would involve identifying and removing the malicious script injection points on affected merchant websites.
- **Eradication steps:** Removal of the malicious JavaScript from the checkout pages and banning of the identified malicious domains (`cdn-cookie[.]com` and `lasorie[.]com`).
- **Recovery actions:** Not detailed, though typically involves deploying patches, sanitizing code repositories, and validating the security posture of payment processing environments.
## Lessons Learned
- **Supply Chain Risk:** Compromise vectors originating from third-party hosting providers (like the link to Stark Industries/THE[.]Hosting) pose a significant, long-term threat.
- **Advanced Evasion:** Attackers possess advanced knowledge of underlying platform features (e.g., WordPress internals like `wpadminbar`) to ensure stealth and customized detection evasion.
- **Defense in Depth Failure:** Client-side skimming continues to be a successful vector, often bypassing traditional perimeter defenses.
## Recommendations
- **Strict Content Security Policy (CSP):** Implement stringent CSPs to restrict the sources from which JavaScript can be loaded, blocking domains like `cdn-cookie[.]com`.
- **Integrity Monitoring:** Implement robust file integrity monitoring (FIM) and client-side monitoring to detect unauthorized DOM manipulation or the loading of unauthorized scripts on payment pages.
- **Payment Processor Hardening:** Review and restrict reliance on client-side data entry. Prefer server-side tokenization or established, controlled payment widgets (like strict Stripe integration).
- **Infrastructure Scrutiny:** Regularly audit third-party scripts and connections to ensure they do not originate from known or related malicious hosting providers.