Attackers are using advanced web skimming and script injection to phish sensitive financial information from online shoppers in East Asia.
A newly identified cyberattack is actively targeting e-commerce platforms across East Asia that use the OpenCart content management system, according to fresh threat intelligence emerging this week.
Security researchers have detected a campaign that injects a malicious fake credit card form into checkout pages of compromised online stores, allowing attackers to harvest users’ payment information when filling out transaction details.
Unlike generic malware or standard Magecart (web skimming) operations, this campaign is notable for its technical sophistication and evasiveness. The malicious script disguises itself as a Google Analytics integration, and is deeply obfuscated: it leverages advanced code techniques such as dynamic evaluations and input masking. Rather than deploying a general-purpose keylogger or clipboard sniffer, the attack focuses specifically on capturing only payment form data entered manually by shoppers, reducing its detectable footprint.
The fake form is designed to blend in with the online retailer’s existing user interface and sits hidden among legitimate third-party scripts, making it difficult for store owners to spot. Payment data, including card numbers and subsequent banking details, is validated by the injected form before being instantly exfiltrated to attacker-controlled infrastructure.
Analysis has linked the backend command-and-control communications to domains including ultracart[.]shop and hxjet[.]pics.
Security analysts have confirmed operational use of exfiltrated card data in real-world fraudulent transactions occurring weeks after victims’ initial purchases, indicating the attackers’ ongoing and persistent access to fresh financial data.
Unlike other skimming operations that indiscriminately collect data, this group’s measured approach allows them to avoid detection for extended periods.
Disclosure of this campaign, along with technical indicators of compromise and decoded payloads, was made by security researcher Himanshu Anand, c/side, whose team had observed the malicious scripts and traced the attacker infrastructure.
Standard defense measures include monitoring and blocking suspicious scripts, enforcing PCI DSS, detecting form changes, and updating domain threat lists promptly.
