The skimmer used in a recently discovered Magecart attack on a Magento-based e-commerce website was posing as a payment service provider via a rogue iframe, Malwarebytes reports.
The Magecart hackers made a name for themselves last year, after a series of high-profile attacks, such as those on Ticketmaster, British Airways, or Newegg.
The hackers changed tactics following detailed reports on the activity of multiple groups, but the attacks continued, with the most recent of them hitting campus e-commerce sites and Picreel and Alpaca Forms.
One of the techniques used by the Magecart attackers to steal payment card data is to place their web skimmers onto check-out pages. The same method was used in the attack Malwarebytes observed, but with a twist.
The attackers added a bogus iframe onto a retailer’s payment page to ask users to enter their credit card data although the page did not include such a form but instead redirected customers to a payment service provider (PSP).
The website uses the popular Magento e-commerce platform, which helps merchants comply with security requirements from Payment Card Industry Data Security (PCI-DSS) by eliminating the need to host sensitive data on the Magento application server itself.
The shopping website would normally redirect users to a PSP to complete the purchase, but the attackers added their payment card data grabbing form on the check-out page, while also leaving the redirection there.
Thus, right beneath the fake credit card field, the text says: “Then you will be redirected to PayuCheckout website when you place an order.”
“And indeed the unsuspecting shopper will then be taken to another— legitimate this time—payment form to re-enter their credit card details. This should be an immediate red flag if you have to type in your information twice. This is the kind of scenario we typically see with phishing sites as well,” Malwarebytes notes.
The code also validates the entered credit card data before exfiltrating it.
The hackers injected malicious code into all of the Magento site’s pages, but it only triggers if the URL in the address bar is the shopping cart checkout page. It also performs some additional checks (screen dimensions and presence of a web debugger) before continuing.
The code loads an external piece of JavaScript from thatispersonal[.]com, a domain registered with REGISTRAR OF DOMAIN NAMES REG.RU LLC and hosted in Russia. The data is exfiltrated in a custom encoded format.
The skimmer, the security researchers reveal, has evolved slightly over time and wasn’t always used for the rogue iframe technique. The attack also shows that hackers have many ways of stealing data from online shoppers with web skimmers and don’t always rely on supply-chain attacks for that.
“Compromising vulnerable e-commerce sites via automated attacks is the most common approach. Once the skimmer is injected into the payment page, it can steal any data that is entered and immediately send it to the crooks. […] even e-commerce sites that do not collect payment data themselves can be affected when the attackers inject previously non-existent credit card fields into the checkout page,” Malwarebytes concludes.
Related: Picreel and Alpaca Forms Compromised by Magecart Attacks
Related: Magecart Hackers Change Tactics Following Public Exposure