A sneaky malware attack has been uncovered targeting WordPress websites. This time, cybercriminals used a very clever trick to steal people’s payment card details. They disguised their malicious operation behind what looked like a normal font-related website. The domain, called italicfonts[.]org, appeared harmless at first glance.
WordPress Websites Under Silent Threat
But in reality, it was designed to capture and steal sensitive payment information during online checkouts.
The case came to light when a WordPress website owner noticed an unusual number of credit card fraud complaints from customers who had recently made purchases. At first, nothing seemed out of place. The checkout page looked and functioned as expected. But behind the scenes, the site had been quietly compromised by a hidden malicious script.
Experts discovered that the attackers had injected this harmful script into a key part of the website’s code — the footer.php file. This file is part of the website’s theme and loads on every page, making it the perfect hiding spot. Once the user reached the checkout page, the script activated and did something alarming. It created a fake credit card form that appeared just like the real one. This fake form collected the card number, expiration date, CVV code, and billing address entered by the customer.
All of this information was sent in real time to a remote server. That server was hosted on italicfonts[.]org — the fake font domain the attackers had set up for this purpose. The process was invisible to the user. The form looked legitimate, the page looked secure, and the transaction appeared to go through. But behind the scenes, the attackers were collecting every single detail.
The Dangerous Trick Behind the Fake Font Domain
The success of this attack relied heavily on how realistic the setup looked. The domain name used by the attackers seemed completely normal. A site offering italic fonts doesn’t raise suspicion, especially to someone just trying to complete a purchase. But there were clues that showed something was wrong.
This domain had no real font content. In fact, it wasn’t indexed by search engines at all, which means people couldn’t find it through a simple search. That’s strange for any genuine website. Search engines usually list sites with useful content, and font resource sites tend to be popular. So the lack of visibility was the first red flag.
Another sign of danger was the domain’s recent registration. Attackers often use brand-new domains to avoid being detected by security tools. Newly registered websites don’t have much of a history online, making them harder for automated systems to judge as suspicious.
Critical Vulnerabilities: The Dark Side of Pacemaker Technology
But the biggest giveaway was how the domain was used. It wasn’t just sitting there. It was connected directly to the fake payment form stealing credit card data. The script that created this form was also heavily obfuscated. This means it was scrambled in a way that made it nearly impossible to understand at a glance. Obfuscation is a tactic often used by hackers to hide the true purpose of their code. This makes it harder for security software — and even human eyes — to detect malicious activity.
How the Scam Was Uncovered
The malware was discovered only after multiple cases of fraud were reported by customers. When experts took a deeper look at the website, they noticed that the footer.php file had recently been changed. That file is a common target for attackers because it loads on every page of a WordPress site. By placing the malicious script there, the attackers ensured that it would run at the right time — during checkout — without affecting the overall look or function of the website.
Once loaded, the fake form blended seamlessly with the real one. Users were unaware they were entering information into a trap. Everything they typed was sent straight to the attackers, allowing them to use or sell the stolen card details.
How Cyber Attacks on Industrial Control Systems Can Endanger Lives ?
Even advanced security tools had difficulty catching this trick because the fake domain looked innocent. It didn’t host malware in the traditional sense. It didn’t contain suspicious downloads or obvious viruses. Instead, it simply served as a tool for stealing information — silently and efficiently.
