Telegram bot used by hackers to steal data from WooCommerce sites

Telegram Bot Hackers Data Stealer WooCommerce Website Protection Credit Card Skimmer CMS

Hackers deploying Telegram bot to steal troves of data from WooCommerce websites have been found. These malicious adversaries used credit card skimmers, leading to several cases of credit card theft reported on an eCommerce site.

The first scenario is that a website owner received numerous complaints from customers who reported faulty transactions on their cards after completing some payment on a website.

A couple of days after the first case of credit card scam was reported, security experts and law enforcement agencies initiated an investigation. Based on reports, the researchers observed that the hackers modified multiple files last weekend.

They also noticed that there were two files with a credit card skimmer. The first payload used the Telegram APIs to send harvested credential details to the threat actors via CURL. The other payload is associated with the Place Order button on the website’s checkout page.


The credit card skimmer was located inside a custom file of a WooCommerce website.


The initial portion of the credit card skimmer was located inside a JavaScript file coded as script[.]js file, a custom file, was attached to a popular Storefront WooCommerce-themed website.

Moreover, a JavaScript snippet was discovered by researchers sending a POST request whenever the “Place Order” button activates it on the checkout page.

Once an order is completed on the compromised website, the credit card details will be sent by the payload to a Telegram chat room. Ultimately, the credit card details will be sold by the threat actors on the black market, which can result in faulty transactions on credit cards.

The script file performs actions such as receiving the input provided to it by users and adding a user agent and IP details. It decodes the base64 encoded content and uses the Telegram API to distribute content to a corresponding chatbot through CURL.

WooCommerce became one of the most targeted CMS platforms for credit card skimming malware. E-commerce website owners should update their software, have strong passwords, have competent firewall services, and protect the admin panel from unwanted access.

About the author

Leave a Reply