Security Experts:

Connect with us

Hi, what are you looking for?



Magecart Skimmer Poses as Payment Service Provider

The skimmer used in a recently discovered Magecart attack on a Magento-based e-commerce website was posing as a payment service provider via a rogue iframe, Malwarebytes reports.

The skimmer used in a recently discovered Magecart attack on a Magento-based e-commerce website was posing as a payment service provider via a rogue iframe, Malwarebytes reports.

The Magecart hackers made a name for themselves last year, after a series of high-profile attacks, such as those on Ticketmaster, British Airways, or Newegg

The hackers changed tactics following detailed reports on the activity of multiple groups, but the attacks continued, with the most recent of them hitting campus e-commerce sites and Picreel and Alpaca Forms.

One of the techniques used by the Magecart attackers to steal payment card data is to place their web skimmers onto check-out pages. The same method was used in the attack Malwarebytes observed, but with a twist. 

The attackers added a bogus iframe onto a retailer’s payment page to ask users to enter their credit card data although the page did not include such a form but instead redirected customers to a payment service provider (PSP).

The website uses the popular Magento e-commerce platform, which helps merchants comply with security requirements from Payment Card Industry Data Security (PCI-DSS) by eliminating the need to host sensitive data on the Magento application server itself.

The shopping website would normally redirect users to a PSP to complete the purchase, but the attackers added their payment card data grabbing form on the check-out page, while also leaving the redirection there. 

Thus, right beneath the fake credit card field, the text says: “Then you will be redirected to PayuCheckout website when you place an order.” 

“And indeed the unsuspecting shopper will then be taken to another— legitimate this time—payment form to re-enter their credit card details. This should be an immediate red flag if you have to type in your information twice. This is the kind of scenario we typically see with phishing sites as well,” Malwarebytes notes. 

The code also validates the entered credit card data before exfiltrating it.

The hackers injected malicious code into all of the Magento site’s pages, but it only triggers if the URL in the address bar is the shopping cart checkout page. It also performs some additional checks (screen dimensions and presence of a web debugger) before continuing.

The code loads an external piece of JavaScript from thatispersonal[.]com, a domain registered with REGISTRAR OF DOMAIN NAMES REG.RU LLC and hosted in Russia. The data is exfiltrated in a custom encoded format.

The skimmer, the security researchers reveal, has evolved slightly over time and wasn’t always used for the rogue iframe technique. The attack also shows that hackers have many ways of stealing data from online shoppers with web skimmers and don’t always rely on supply-chain attacks for that. 

“Compromising vulnerable e-commerce sites via automated attacks is the most common approach. Once the skimmer is injected into the payment page, it can steal any data that is entered and immediately send it to the crooks. […] even e-commerce sites that do not collect payment data themselves can be affected when the attackers inject previously non-existent credit card fields into the checkout page,” Malwarebytes concludes. 

Related: Picreel and Alpaca Forms Compromised by Magecart Attacks

Related: Magecart Hackers Change Tactics Following Public Exposure

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...