[BreachExchange] New Magecart Credit Card Skimmer Capable of Stealing Payment Information on Multiple Ecommerce Platforms
Destry Winant
destry at riskbasedsecurity.com
Tue Jan 12 10:39:56 EST 2021
https://www.cpomagazine.com/cyber-security/new-magecart-credit-card-skimmer-capable-of-stealing-payment-information-on-multiple-ecommerce-platforms/
Sansec researchers discovered a new multi-platform credit card skimmer
stealing payment information from various stores hosted on major
eCommerce platforms such as ZenCart, WooCommerce, Shopify, and
BigCommerce.
The eCommerce malware identified as a Magecart variant hijacks the
checkout process by injecting a fake payment form to collect the
customers’ credit card details. The new variant also compromises
e-commerce platforms that do not support custom JavaScript checkout
forms.
Magecart is an umbrella term for several cybercriminal gangs using
various tools, techniques, and procedures to steal payment information
and personal data from customers on various e-commerce sites, usually
through JavaScript injection. Sansec researchers, however, did not
link the campaign to a specific cybercrime gang.
Credit card skimmer supports eCommerce platforms prohibiting custom
JavaScript checkout pages
The recently-discovered Magecart credit card skimmer variant works on
multiple eCommerce platforms, unlike the previous variants that
targeted a single e-commerce platform at a time.
Surprisingly, the card skimmer works even on eCommerce platforms such
as Shopify and BigCommerce that do not allow custom JavaScript code.
It functions by injecting a fake payment form and recording the
customers’ keystrokes just before they navigate to the real payment
form.
Card skimmer employs several ingenious detection evasion tactics
When customers enter their credit card information and hit the proceed
button, the fake payment form throws an error and redirects the buyer
to the real payment page to evade detection.
The security researchers also found that the credit card skimmer
exfiltrated the payment information to programmatically generate
exfiltration domains created from a base64 encoded counter.
Examples of exfiltration domains include zg9tywlubmftzw5ldze[.]com and
zg9tywlubmftzw5ldza[.]com, with the latter being registered on August
31, 2020.
The credit card skimmer sometimes masquerades as a PayPal checkout
page requesting various details such as billing address, zip code,
cardholder name, credit card number, expiry date, and CVV/CVC.
Sansec researchers did not explain whether the credit card skimmer
generated the fake payment form depending on the selected mode of
payment or if the spoofed PayPal form was loaded on every checkout.
Regardless, most customers would hardly detect any suspicious behavior
given that the hackers did their best to cover their tracks.
Similar Magecart attacks targeting online stores have been detected in
the wild. For example, researchers at Sansec discovered that attackers
hid another credit card data skimmer in CSS disguised as SVG social
media buttons. The malware payload and a JavaScript decoder could be
loaded at different locations, making it impossible to detect the card
skimmer based on code analysis.
Hackers possibly compromised a shared component used by multiple
eCommerce platforms
It remains a mystery how the threat actors behind the new Magecart
credit card skimmer variant managed to compromise multiple eCommerce
platforms. The security researchers suggested that the attackers
possibly breached a shared component, software, or a service used by
multiple eCommerce platforms.
“To summarize: this campaign shows that platforms are no boundary to
the profitable fraud of online skimming,” Sansec researchers said.
“Wherever customers enter their payment details, they are at risk.”
#Security researchers suggested that the attackers possibly breached a
shared component, software, or a service used by multiple #eCommerce
platforms. #respectdataClick to Tweet
Commenting on the multi-platform payment card skimmer, Saryu Nayyar,
CEO at Gurucul, said that Sansec’s discovery was yet “another
indication of how sophisticated the attackers have become, while their
attack tools evolve to become more versatile and effective.”
More information about the BreachExchange
mailing list