Sansec researchers discovered a new multi-platform credit card skimmer stealing payment information from various stores hosted on major eCommerce platforms such as ZenCart, WooCommerce, Shopify, and BigCommerce.
The eCommerce malware identified as a Magecart variant hijacks the checkout process by injecting a fake payment form to collect the customers’ credit card details. The new variant also compromises e-commerce platforms that do not support custom JavaScript checkout forms.
Magecart is an umbrella term for several cybercriminal gangs using various tools, techniques, and procedures to steal payment information and personal data from customers on various e-commerce sites, usually through JavaScript injection. Sansec researchers, however, did not link the campaign to a specific cybercrime gang.
Credit card skimmer supports eCommerce platforms prohibiting custom JavaScript checkout pages
The recently-discovered Magecart credit card skimmer variant works on multiple eCommerce platforms, unlike the previous variants that targeted a single e-commerce platform at a time.
Surprisingly, the card skimmer works even on eCommerce platforms such as Shopify and BigCommerce that do not allow custom JavaScript code.
It functions by injecting a fake payment form and recording the customers’ keystrokes just before they navigate to the real payment form.
Card skimmer employs several ingenious detection evasion tactics
When customers enter their credit card information and hit the proceed button, the fake payment form throws an error and redirects the buyer to the real payment page to evade detection.
The security researchers also found that the credit card skimmer exfiltrated the payment information to programmatically generate exfiltration domains created from a base64 encoded counter.
Examples of exfiltration domains include zg9tywlubmftzw5ldze[.]com and zg9tywlubmftzw5ldza[.]com, with the latter being registered on August 31, 2020.
The credit card skimmer sometimes masquerades as a PayPal checkout page requesting various details such as billing address, zip code, cardholder name, credit card number, expiry date, and CVV/CVC.
Sansec researchers did not explain whether the credit card skimmer generated the fake payment form depending on the selected mode of payment or if the spoofed PayPal form was loaded on every checkout. Regardless, most customers would hardly detect any suspicious behavior given that the hackers did their best to cover their tracks.
Similar Magecart attacks targeting online stores have been detected in the wild. For example, researchers at Sansec discovered that attackers hid another credit card data skimmer in CSS disguised as SVG social media buttons. The malware payload and a JavaScript decoder could be loaded at different locations, making it impossible to detect the card skimmer based on code analysis.
Hackers possibly compromised a shared component used by multiple eCommerce platforms
It remains a mystery how the threat actors behind the new Magecart credit card skimmer variant managed to compromise multiple eCommerce platforms. The security researchers suggested that the attackers possibly breached a shared component, software, or a service used by multiple eCommerce platforms.
“To summarize: this campaign shows that platforms are no boundary to the profitable fraud of online skimming,” Sansec researchers said. “Wherever customers enter their payment details, they are at risk.”
Commenting on the multi-platform payment card skimmer, Saryu Nayyar, CEO at Gurucul, said that Sansec’s discovery was yet “another indication of how sophisticated the attackers have become, while their attack tools evolve to become more versatile and effective.”