Home > Security > Security News

Payment Card Data Stolen Using Fake Font Domain in WordPress Malware Attack

Published on April 11, 2025
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer
Credit Card

A malicious campaign targeted WordPress websites, which involved a fake font domain designed to skim credit card data from unsuspecting users according to a recent investigation by security researchers at Sucuri.

The case began when a WordPress website owner noticed an unusual spike in credit card fraud reports from their customers after purchases. Upon investigation, it was discovered that the website's checkout page was compromised by a suspicious script linked to the domain italicfonts[.]org. 

At first glance, the domain seemed legitimate, mimicking a site offering font resources. However, further analysis revealed it was designed specifically for malicious purposes.

Injecting the malicious domain italicfonts[.]org into the site
Injecting the malicious domain italicfonts[.]org into the site | Source: Sucuri

The attackers embedded a heavily obfuscated script into the site's footer.php file, recently modified to include the malicious domain. The script executed once users accessed the checkout page.

The injected code built a convincing credit card input field disguised as a legitimate payment form. This fake form was positioned strategically to collect billing information without raising suspicion.

The script captured sensitive payment details in real time, including card numbers, expiration dates, CVV codes, and billing addresses. These details were then exfiltrated to the attacker’s remote server hosted on the fake font domain, making it appear innocuous to automated security checks.

Three key indicators confirmed the malicious nature of italicfonts[.]org – recently registered domain, lack of indexed results, and presence in a fraudulent form.

Attackers commonly employ newly registered domains to avoid detection. The absence of indexed pages for the domain on search engines was a red flag. The domain's association with the fake payment form demonstrated its purpose as part of the skimming operation.

Add a Comment
Related
Spotify
Spotify Targets ‘SpotifyDL’ Track Download Extension with DMCA Takedown to Protect Its Platform
india justice court
Indian Court Issues Ruling to Block Proton Mail Over Misuse and Noncompliance Allegations
Rhysida Ransomware Targets US Architecture and Engineering Company ‘LaBella Associates’
Court Order on Piracy IPTV
DRM-Free OnlyFans Downloads Lead to Widevine Project Removal from GitHub
tracking
Data from Internet-Connected Vehicles Could Be Used in Govt Surveillance by Law Enforcement Agencies
Cybersecurity Firm Owner Faces Malware-Installation Allegations at US Hospital
Most Popular
NCIS: Origins
What you Should know About NCIS: Origins Season 2 - Release Window, Gibbs' Story, and more
Thunderbolts
Thunderbolts Post-Credits Scene: How many are There and what is Shown? 
Spotify
Spotify Targets ‘SpotifyDL’ Track Download Extension with DMCA Takedown to Protect Its Platform
india justice court
Indian Court Issues Ruling to Block Proton Mail Over Misuse and Noncompliance Allegations
Rhysida Ransomware Targets US Architecture and Engineering Company ‘LaBella Associates’
Court Order on Piracy IPTV
DRM-Free OnlyFans Downloads Lead to Widevine Project Removal from GitHub
What you Should know About NCIS: Origins Season 2 - Release Window, Gibbs' Story, and more
Thunderbolts Post-Credits Scene: How many are There and what is Shown? 
Spotify Targets ‘SpotifyDL’ Track Download Extension with DMCA Takedown to Protect Its Platform
Indian Court Issues Ruling to Block Proton Mail Over Misuse and Noncompliance Allegations
Rhysida Ransomware Targets US Architecture and Engineering Company ‘LaBella Associates’
DRM-Free OnlyFans Downloads Lead to Widevine Project Removal from GitHub

Most Popular
NCIS: Origins
What you Should know About NCIS: Origins Season 2 - Release Window, Gibbs' Story, and more
Thunderbolts
Thunderbolts Post-Credits Scene: How many are There and what is Shown? 
Spotify
Spotify Targets ‘SpotifyDL’ Track Download Extension with DMCA Takedown to Protect Its Platform
india justice court
Indian Court Issues Ruling to Block Proton Mail Over Misuse and Noncompliance Allegations
Rhysida Ransomware Targets US Architecture and Engineering Company ‘LaBella Associates’
Court Order on Piracy IPTV
DRM-Free OnlyFans Downloads Lead to Widevine Project Removal from GitHub
What you Should know About NCIS: Origins Season 2 - Release Window, Gibbs' Story, and more
Thunderbolts Post-Credits Scene: How many are There and what is Shown? 
Spotify Targets ‘SpotifyDL’ Track Download Extension with DMCA Takedown to Protect Its Platform
Indian Court Issues Ruling to Block Proton Mail Over Misuse and Noncompliance Allegations
Rhysida Ransomware Targets US Architecture and Engineering Company ‘LaBella Associates’
DRM-Free OnlyFans Downloads Lead to Widevine Project Removal from GitHub

TechNadu keeps you informed with the latest in cybersecurity, VPNs, streaming, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2025 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: