29 July 2019

Magecart hackers use a new trick to pilfer credit card data

Magecart hackers use a new trick to pilfer credit card data

Sucuri research team has uncovered a new Magecart campaign that injects Magecart multi-gateway skimmer in fake Google domains in order to steal payment data when unaware visitors make transactions. The operation was detected when a Magento website owner had the site’s domain blacklisted by McAfee's SiteAdvisor service. The closer inspection revealed that the culprit was a JavaScript-based payment card skimmer embeded in the site.

“Our investigation revealed that the site had been infected with a credit card skimmer loading JavaScript from the malicious internationalized domain google-analytîcs[.]com (or xn--google-analytcs–xpb[.]com in ASCII). The malicious user purposely selected the domain name with the intention of deceiving unsuspecting victims. Website visitors may see a reputable name (like “Google”) in requests and assume that they’re safe to load, without noticing that the domain is not a perfect match and is actually malicious in nature,”explained Sucuri’s Luke Leal.

This tactic is often used in phishing attacks to trick victims into thinking a phishing page is actually legitimate, he added.

The card skimming script injected by the threat actor "uses the loaded JavaScript to capture any input data using the document.getElementsByTagName and input or stored element names for capturing drop down menu data." What makes it stand out from other card skimming scripts is the ability to alter its behaviour based on whether developer tools are open in Google Chrome or Mozilla Firefox. In the presence of Chrome or Firefox web browsers the skimmer script will not send collected data to command and control server likely in order to avoid detection.

“If the malicious code doesn’t detect developer tools in the browsing session, the stolen credit card information skimmed by the malware is categorized for exfiltration to a remote server. The bad actors again attempt to deceive visitors with another fake Google domain—google[.]ssl[.]lnfo[.]cc,” reads the analysis.

The researcher also notes that the credit card skimmer itself supports dozens of payment gateways suggesting that the threat actor behind the attacks put a lot of efforts in this campaign.

 

 

Back to the list

Latest Posts

New Mirai variant hides its C&Cs in Tor network for anonymity

New Mirai variant hides its C&Cs in Tor network for anonymity

The use of Tor network helps the malware operators to conceal its command and control servers and to avoid detection.
1 August 2019
New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums

New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums

After infecting an Android mobile device, Filecoder scans the victim's contact list and sends links on ransomware to all the entries in the list.
31 July 2019
Critical flaws in VxWorks RTOS impact over 2 billion devices, including routers, printers and SCADA

Critical flaws in VxWorks RTOS impact over 2 billion devices, including routers, printers and SCADA

URGENT/11 vulnerabilities pose a serious risk as they allow attackers to take over devices with no user interaction required.
30 July 2019
Featured vulnerabilities
Multiple vulnerabilities in FreeBSD
Medium Patched | 21 Aug, 2019
Denial of service in Siemens SCALANCE X Switches
Medium Not Patched | 21 Aug, 2019
Multiple vulnerabilities in Siemens SCALANCE Products
Medium Not Patched | 21 Aug, 2019