Credit card swipers have found a hard-to-detect way to target WordPress websites using the WooCommerce plugin by secretly modifying legitimate JavaScript files.

That’s according to web security company Sucuri, which has detailed a recent attack it was called into investigate on a site that had experienced a mysterious spate of credit card fraud.

How this was happening wasn’t clear until Sucuri ran an integrity check on the files (comparing the files present with a known default state) and it became clear that the attackers had hidden malicious JavaScript code inside a system file.

This is unusual because most attacks on ecommerce systems involve appending code at the end of a file, a technique which is effective but easier for defenders to spot.