Sansec researchers discovered a new multi-platform credit card skimmer stealing payment information from various stores hosted on major eCommerce platforms such as ZenCart, WooCommerce, Shopify, and BigCommerce.
The recently-discovered Magecart credit card skimmer variant works on multiple eCommerce platforms, unlike the previous variants that targeted a single e-commerce platform at a time.
It functions by injecting a fake payment form and recording the customers’ keystrokes just before they navigate to the real payment form.
Card skimmer employs several ingenious detection evasion tactics
When customers enter their credit card information and hit the proceed button, the fake payment form throws an error and redirects the buyer to the real payment page to evade detection.
The security researchers also found that the credit card skimmer exfiltrated the payment information to programmatically generate exfiltration domains created from a base64 encoded counter.
Examples of exfiltration domains include zg9tywlubmftzw5ldze[.]com and zg9tywlubmftzw5ldza[.]com, with the latter being registered on August 31, 2020.
The credit card skimmer sometimes masquerades as a PayPal checkout page requesting various details such as billing address, zip code, cardholder name, credit card number, expiry date, and CVV/CVC.
Sansec researchers did not explain whether the credit card skimmer generated the fake payment form depending on the selected mode of payment or if the spoofed PayPal form was loaded on every checkout. Regardless, most customers would hardly detect any suspicious behavior given that the hackers did their best to cover their tracks.
Hackers possibly compromised a shared component used by multiple eCommerce platforms
It remains a mystery how the threat actors behind the new Magecart credit card skimmer variant managed to compromise multiple eCommerce platforms. The security researchers suggested that the attackers possibly breached a shared component, software, or a service used by multiple eCommerce platforms.
“To summarize: this campaign shows that platforms are no boundary to the profitable fraud of online skimming,” Sansec researchers said. “Wherever customers enter their payment details, they are at risk.”
Commenting on the multi-platform payment card skimmer, Saryu Nayyar, CEO at Gurucul, said that Sansec’s discovery was yet “another indication of how sophisticated the attackers have become, while their attack tools evolve to become more versatile and effective.”