[BreachExchange] Card Skimmer Hits Australian Bushfire Donation Site

Wed Jan 15 10:01:35 EST 2020

https://threatpost.com/card-skimmer-australian-bushfire-donation-site/151841/

Magecart groups using automated infection scans infected the site,
which was running outdated Magento software.

Concerned global citizens making donations to help fight the massive
Australia bushfires have been caught up in a Magecart attack, after
one of the groups implanted a payment-card skimmer on the check-out
page of a legitimate online donation site.

Researchers ran across the Magecart script, named “ATMZOW” after one
of the strings in the code, stealing form data from the checkout page
of the site. This included the payment-card data itself (name on card,
number, expiry and CVV) as well as additional personal information
such as name and billing address.

Jérôme Segura, director of threat intelligence at Malwarebytes, told
Threatpost that this particular script uses typical obfuscation but
also has some anti-debugging tricks. It infected the site via its
e-commerce platform, which he said hadn’t been patched or updated in a
while.

“The compromised site is running Magento, by far the most targeted CMS
when it comes to skimming, and was outdated, which is likely how the
attackers were able to inject it with malware,” he said in an email
interview. “We don’t believe this site was targeted on its own, but
rather was victim of an automated attack based on exploiting known
vulnerabilities. This reinforces the idea that any site, big or small,
business or not for profit, is a valuable resource for criminals.”

Segura declined to name the affected site (but said that it was
informed of the problem and that the malicious code “has been removed
from the site as we speak”). However, researchers traced the skimmer
back to its control panel, a known exfiltration domain at
vamberlo[.]com.

“The same ATMZOW script had already been injected into dozens of other
websites before this one and using the same exfiltration domain as
well,” Segura told Threatpost.

Troy Mursch of Bad Packets Report said via tweet that the PublicWWW
tool indeed shows that ATMZOW is active on 39 other websites, and
posted a screenshot:

Magecart is an umbrella term encompassing several different threat
groups who typically use the same modus operandi. They compromise
websites by exploiting vulnerabilities in third-party e-commerce
platforms, in order to inject card-skimming scripts on checkout pages.

At Virus Bulletin last October, researchers at RiskIQ said that
Magecart is now so ubiquitous that its infrastructure is flooding the
internet. There are at least 570+ known command-and-control (C2)
domains for the group, with close to 10,000 hosts actively loading
those domains, researchers said.

Even so, Segura told Threatpost that this could be the tip of the iceberg.

“Client-side web skimmers have become well documented over the past
couple of years,” he said. “However, what we read about is probably
only a small fraction of the total number of active compromises. In
particular, we rarely ever hear about skimmers that work server-side
because only very few companies/researchers are able to get visibility
into these breaches.”