Targeted Phishing and Web Skimming Attacks on Online Payment Systems
A series of sophisticated cyberattacks have targeted online payment systems and e-commerce users through phishing emails, malicious browser extensions, and large-scale web skimming operations. One campaign impersonated WordPress.com, sending convincing domain renewal emails that redirected victims to a fake payment portal designed to steal credit card details and 3-D Secure OTPs, with exfiltration occurring via Telegram. Another operation involved over 50 malicious scripts injected into checkout and account creation flows on e-commerce sites, using modular payloads tailored for specific payment processors like Stripe, PayPal, and Mollie, and leveraging fake domains to evade detection.
In parallel, threat actors have deployed malicious browser extensions across Chrome, Edge, and Firefox, impacting millions of users by hijacking search queries, stealing data, and committing affiliate fraud. These extensions often remain dormant for extended periods before being weaponized through updates, further complicating detection. Collectively, these campaigns demonstrate a significant evolution in cybercriminal tactics, blending phishing, web skimming, and browser-based attacks to compromise sensitive financial and personal information at scale.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Fake WordPress domain-renewal phishing campaign observed
Researchers documented a phishing campaign impersonating WordPress.com domain renewal notices, directing victims to a fake payment portal at soyfix[.]com. The operation stole credit card details and 3-D Secure OTPs, exfiltrating them via Telegram while using Alibaba Cloud-linked mail infrastructure and spoofing-friendly email conditions.
Source Defense researchers uncover large-scale Magecart skimming campaign
Source Defense Research identified a global web-skimming operation using more than 50 malicious scripts against e-commerce sites. The campaign harvested payment card data, customer identities, credentials, and email addresses through checkout and account-creation flows using localized payloads and deceptive infrastructure.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Fake WordPress Domain Renewal Phishing Email Stealing Credit Card And 3-D Secure OTP
malwr-analysis.com
Open sourceMassive Magecart with 50+ Malicious Scripts Hijacking Checkout and Account Creation Flows
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing and Financial Fraud Campaigns Targeting Online Accounts and Payment Data
Threat researchers reported multiple financially motivated social-engineering operations designed to steal credentials and enable downstream fraud. Malwarebytes documented a **job-themed phishing** campaign impersonating *Google Forms* via the lookalike domain `forms.google.ss-o[.]com`, using a `generation_form.php` script to generate personalized lure URLs and redirecting victims through a fake form to a credential-harvesting login flow (e.g., `id-v4[.]com`). The infrastructure also used redirection to local Google search pages as an anti-analysis tactic to reduce link sharing and researcher visibility. Separately, Bridewell-reported activity described a **Booking.com-themed, multi-stage phishing and fraud scheme** targeting both hotel partners and guests: initial “complaint”/reservation lures drive staff to attacker-controlled portals using lookalike domains (including **IDN homograph** tricks) to harvest partner credentials, followed by account takeover and guest-facing fraud (including WhatsApp outreach using real booking details). A third report described the broader rise of **Carding-as-a-Service (CaaS)** marketplaces (e.g., “fullz” bundling and platforms such as Findsome and UltimateShop) and the supply chain feeding them (PhaaS credential theft, skimming, and malware), but it did not describe the same specific phishing incidents and should be treated as related background rather than part of the same event.
Mar 21, 2026
Silent Push Uncovers Long-Running Magecart Web-Skimming Infrastructure Targeting Major Payment Networks
Silent Push reported a large-scale **Magecart-style web-skimming** operation active since early 2022 that uses an extensive domain network to support client-side JavaScript skimmers on compromised e-commerce checkout pages. The activity is assessed to impact **online shoppers** and organizations that are **clients of major payment providers**, with targeting noted against **American Express, Diners Club, Discover, JCB, Mastercard, and UnionPay**; the skimmers are designed to quietly exfiltrate payment-card and other form data during transactions rather than disrupt systems. Technical reporting tied the infrastructure to domains hosting **highly obfuscated skimmer payloads** (e.g., `recorder.js`, `tab-gtm.js`) and described evasion logic that attempts to avoid execution when site administrators are present (e.g., checking the DOM for WordPress’ `wpadminbar`). The infrastructure analysis also linked parts of the campaign to a domain associated with the sanctioned bulletproof hosting ecosystem around **Stark Industries / PQ.Hosting**, which has been described as rebranding to *THE[.]Hosting* under **WorkTitans B.V.**, consistent with sanctions-evasion behavior; researchers emphasized that weak **third-party script governance** on payment pages remains a key enabling factor for this type of long-lived skimming operation.
Mar 21, 2026
Phishing Campaigns Abuse Trusted Platforms and Collaboration Tools to Steal Credentials
Multiple reports describe a broader **credential-theft trend** in which attackers abuse trusted services and familiar business workflows to make phishing more convincing and harder to detect. One campaign used **compromised WordPress sites** and redirects through `skimresources[.]com` to deliver pixel-perfect fake login pages for **Microsoft Teams**, **Xfinity**, and **UAE Pass**, with lures such as missed voicemail and shared-document alerts. Another campaign abused **LiveChat**'s `lc[.]chat` infrastructure to impersonate brands like **PayPal** and **Amazon**, moving victims into fake support conversations designed to extract sensitive information under the guise of refunds or order issues. A separate industry report reinforces the same operational pattern: attackers increasingly rely on **valid credentials** and trusted collaboration tools rather than software exploits, with cloud identity compromise driving most investigated incidents and some intrusions using **Microsoft Teams voice phishing** and **Quick Assist** to gain access, move laterally, and deploy ransomware. Other references in the set cover different stories entirely, including the **CamelClone** espionage operation, a **FancyBear/APT28** infrastructure exposure, and a general weekly security recap, and do not describe the same phishing activity. This is **not fluff** because the relevant items contain substantive threat intelligence on active attack methods, delivery infrastructure, and attacker tradecraft.
Mar 21, 2026