A recently discovered multi-platform credit card skimmer can harvest payment info on compromised stores powered by Shopify, BigCommerce, Zencart, and Woocommerce.
The skimmer can be used to collect payment information of compromised stores and is connected to the Magecart community.
The first programmatically created exfiltration domain used by the skimmer in this campaign was registered for the first time on August 31. This indicates that this Magecart campaign has been active for a long time.
Although typically designed to target a single type of e-commerce platform, this new type of web skimming malware may take over the checkout process in stores using multiple online store management systems by inserting a malicious checkout page.
It does so by displaying a fake payment page before any customers land on the real checkout form and uses a keylogger to intercept personal and payment information.
Once the customers have entered their credit card information, the skimmer will show an error and customers will be redirected to the real payment page to avoid any suspicion.
Attackers could have violated a common feature, such as software or a service used by all compromised traders. This may be the reason behind a number of hacked e-commerce websites.
Another fascinating technique used by this skimmer is how it exfiltrates data to automatically generated counter-based domains encoded using base64 encoding (examples of such domains are zg9tywlubmftzw5ldza[.]com, zg9tywlubmftzw5ldze[.]com, and so on).
“To summarize: this campaign shows that platforms are no boundary to the profitable fraud of online skimming,” said Sansec. “Wherever customers enter their payment details, they are at risk.”
Over the last few months, Sansec researchers have discovered multiple Magecart campaigns using advanced methods to avoid detection and persistence in hacked shops.
For eg, they found a credit card stealer script concealed in plain sight using CSS code to avoid being discovered, a web skimming malware capable of camouflage as SVG social media buttons, and almost impossible to get rid of credit card stealer bundling a persistent backdoor.
They also spotted a stealthy remote access trojan (RAT) malware used by Magecart threat actors to maintain persistence and regain access to compromised online store servers.
However, the malware dropper used to load the RAT on infected online stores also unintentionally put the beans on a list of hundreds of compromised stores.
Malware was found deployed in many Magento-powered online stores and scheduled for automatic activation on Black Friday.
In recent months, Magecart’s campaigns have used groundbreaking methods to escape detection. Experts, therefore, recommend that customers remain extra vigilant and use two-factor authentication as well as virtual cards for any financial transaction. In addition, companies are encouraged to evaluate the protection of their third-party vendors on a regular basis.