Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Magecart Skimmer Poses as Payment Service Provider

The skimmer used in a recently discovered Magecart attack on a Magento-based e-commerce website was posing as a payment service provider via a rogue iframe, Malwarebytes reports.

The skimmer used in a recently discovered Magecart attack on a Magento-based e-commerce website was posing as a payment service provider via a rogue iframe, Malwarebytes reports.

The Magecart hackers made a name for themselves last year, after a series of high-profile attacks, such as those on Ticketmaster, British Airways, or Newegg

The hackers changed tactics following detailed reports on the activity of multiple groups, but the attacks continued, with the most recent of them hitting campus e-commerce sites and Picreel and Alpaca Forms.

One of the techniques used by the Magecart attackers to steal payment card data is to place their web skimmers onto check-out pages. The same method was used in the attack Malwarebytes observed, but with a twist. 

The attackers added a bogus iframe onto a retailer’s payment page to ask users to enter their credit card data although the page did not include such a form but instead redirected customers to a payment service provider (PSP).

The website uses the popular Magento e-commerce platform, which helps merchants comply with security requirements from Payment Card Industry Data Security (PCI-DSS) by eliminating the need to host sensitive data on the Magento application server itself.

The shopping website would normally redirect users to a PSP to complete the purchase, but the attackers added their payment card data grabbing form on the check-out page, while also leaving the redirection there. 

Thus, right beneath the fake credit card field, the text says: “Then you will be redirected to PayuCheckout website when you place an order.” 

Advertisement. Scroll to continue reading.

“And indeed the unsuspecting shopper will then be taken to another— legitimate this time—payment form to re-enter their credit card details. This should be an immediate red flag if you have to type in your information twice. This is the kind of scenario we typically see with phishing sites as well,” Malwarebytes notes. 

The code also validates the entered credit card data before exfiltrating it.

The hackers injected malicious code into all of the Magento site’s pages, but it only triggers if the URL in the address bar is the shopping cart checkout page. It also performs some additional checks (screen dimensions and presence of a web debugger) before continuing.

The code loads an external piece of JavaScript from thatispersonal[.]com, a domain registered with REGISTRAR OF DOMAIN NAMES REG.RU LLC and hosted in Russia. The data is exfiltrated in a custom encoded format.

The skimmer, the security researchers reveal, has evolved slightly over time and wasn’t always used for the rogue iframe technique. The attack also shows that hackers have many ways of stealing data from online shoppers with web skimmers and don’t always rely on supply-chain attacks for that. 

“Compromising vulnerable e-commerce sites via automated attacks is the most common approach. Once the skimmer is injected into the payment page, it can steal any data that is entered and immediately send it to the crooks. […] even e-commerce sites that do not collect payment data themselves can be affected when the attackers inject previously non-existent credit card fields into the checkout page,” Malwarebytes concludes. 

Related: Picreel and Alpaca Forms Compromised by Magecart Attacks

Related: Magecart Hackers Change Tactics Following Public Exposure

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.