Over the past year, the National Cyber Security Centre Finland (NCSC-FI) has been observing a steady rise in compromises targeting online shops and content-management platforms. Although the tactics resemble classical skimming campaigns, the latest cases show a shift toward more subtle infection vectors, more persistent footholds and a stronger focus on supply-chain weaknesses. For developers and operators of e-commerce sites, the takeaway is unsettling. Even when you rely on trusted third-party payment processors and never store card data, your platform can still become the weakest link.
At the core of these incidents is malicious JavaScript quietly injected into the site. The most effective skimmers now embed themselves in places unlikely to be reviewed. For example, inside minified script bundles or inside plugin resources that administrators rarely inspect. Once the attacker has write access to the filesystem or database, they place an obfuscated script that monitors the DOM for payment-related events. The script activates as soon as the user begins typing into credit-card fields or when the page loads an iframe or form associated with a payment service provider. The captured information is exfiltrated in real time, usually through an HTTP request disguised as a harmless analytics call or an asset fetch. Many of the samples observed by NCSC-FI communicate with attacker-controlled domains deliberately crafted to blend in with the site’s legitimate CDN or marketing infrastructure.
The infection vector often originates from a vulnerable extension, outdated plugin or abandoned theme. In platforms such as WordPress, the long tail of unmaintained add-ons has become a prime target. When an attacker gains initial entry (sometimes through a trivial vulnerability that has been patched upstream but not updated by the site owner) they typically drop multiple backdoors instead of relying on a single script. These backdoors may include PHP webshells hidden in plugin directories, database-level modifications, or rogue admin accounts that appear inactive but retain elevated privileges. Simply removing the visible malicious JavaScript rarely resolves the compromise. Persistent access tends to be re-established unless the site owner performs a full forensic validation of every executable path.
One particularly interesting observation is how attackers exploit the trust model around third-party payments. Many website owners assume that outsourcing payments eliminates PCI-related risk. In reality, if the malicious code is present before the user is redirected or before the payment iframe loads, the attacker sits in the privileged position between the customer and the provider. The skimmer does not need to break encryption or intercept traffic in transit. It merely records what the user types. This means even the most reputable payment providers cannot protect a site whose presentation layer has been compromised.
Defending against these attacks requires a shift from reactive cleanup to proactive hygiene. Continuous verification of file integrity, for example through hashing or external monitoring, helps spot unauthorized modifications early. Administrators who routinely test their own checkout flow (not just visually but by inspecting network traffic) are far more likely to catch an injected script masquerading as an analytics tag. Reviewing the list of installed plugins and themes is equally important. Every unused or outdated component widens the attack surface. Authentication hardening matters as well. Privileged accounts should be minimized, passwords must be strong and unique, and multi-factor authentication should be mandatory for administrative access. When the operational workload becomes too heavy or the platform too customized, bringing in professional maintenance services is not just a convenience but a security measure.
What the recent NCSC-FI cases ultimately demonstrate is that website security is not a single act but a lifecycle discipline. A compromised storefront does not merely risk payment data. It undermines trust, potentially exposes personal information and may require regulatory notifications. In complex environments, attackers rely on the fact that owners rarely inspect code paths deeply or regularly. Breaking that assumption is the strongest defense. Make an inspection routine, treat every dependency as a potential supply-chain component and ensure that your platform is monitored with the same seriousness as any other critical system.
Find out more from NCSC-FI (in Finnish):
https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/ajankohtaista-verkkojulkaisualustoista
AI generated image on page