This tactic is often used in phishing attacks to trick victims into thinking a phishing page is actually legitimate, he added.
“If the malicious code doesn’t detect developer tools in the browsing session, the stolen credit card information skimmed by the malware is categorized for exfiltration to a remote server. The bad actors again attempt to deceive visitors with another fake Google domain—google[.]ssl[.]lnfo[.]cc,” reads the analysis.
The researcher also notes that the credit card skimmer itself supports dozens of payment gateways suggesting that the threat actor behind the attacks put a lot of efforts in this campaign.