The ongoing Magecart campaign has attracted the attention of cybersecurity researchers for leveraging realistic-looking fake payment screens to capture sensitive data entered by unsuspecting users. The cyber threat actor used original logos from the compromised store and customized a web element known as a modal to hijack the checkout page perfectly. Interestingly, the “skimmer” page looks more authentic than the original payment page. It must be the improved graphics.[1]
The term Magecart is a catch-all that refers to several cybercrime groups which employ online skimming techniques to steal personal data from websites, most commonly customer details and payment information on e-commerce websites. The first Magecart-like attacks were observed as early as 2010. As of 2022, over 70,000 stores are estimated to have been compromised with a web skimmer.
Magecart is a consortium of malicious hacker groups that target online shopping cart systems, usually, the Magento system, to steal customer payment card information. This is known as a supply chain attack. The idea behind these attacks is to compromise a third-party piece of software from a VAR or systems integrator or infect an industrial process unbeknownst to IT. The name originates from the groups' initial targeting of the Magento platform.
Shopping carts are attractive targets because they collect customer payment information: if your malware can tap into this data stream, you have a ready-made card collection tool. Almost all e-commerce sites that use shopping carts don’t properly vet the code used with these third-party pieces, a recipe for a ready-made hack.
These digital skimming attacks, called Formjacking, traditionally leverage various JavaScript trickery to siphon sensitive information from website users. The latest iteration seen on an unnamed Parisian travel accessory store running on the PrestaShop CMS involved the injection of a skimmer called Kritec in intercepting the checkout process and displaying a fake payment dialog to victims.
Formjacking is a cyberattack where hackers inject malicious JavaScript code into a webpage form, usually a payment form, to collect sensitive user information, such as credit card details and personal data. Formjacking is a form of e-skimming or man-in-the-middle attack, where the hackers intercept the communication between the user and the website without their knowledge or consent. Formjacking is stealthy and inconspicuous because it happens on the client side, outside of detecting some security systems. Formjacking is another supply chain attack where hackers target a vulnerable provider within the service or supply chain, such as a payment processor.
Kritec, previously detailed by Akamai and Malwarebytes in January 2023, has been found to impersonate legitimate third-party vendors like Google Tag Manager as an evasion technique. The investigators said the skimmer is complex and heavily obfuscated, with the malicious modal loaded upon selecting a credit card as the payment option from the compromised website.
Once the payment card details are harvested, a fake error message about payment cancellation is briefly displayed to the victim before redirecting to the actual payment page, at which point the payment will go through. The skimmer will drop a cookie which will serve as an indication that the current session is now marked as completed. If the user was to go back and attempt the payment again, the malicious modal would no longer be displayed.
The threat actors behind the operation are said to be using different domains to host the skimmer, which is given similar names: "[name of store]-loader.js," suggesting that the attacks are targeting different online stores with custom models. Discerning whether an online store is trustworthy has become very difficult, and this case is a good example of a skimmer that would not raise any suspicion.
The findings come a little over two months after Malwarebytes unearthed another web skimmer that collects browser fingerprint data, such as IP addresses and User-Agent strings, along with credit card information, likely in an attempt to monitor invalid users such as bots and security researchers.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://thehackernews.com/2023/04/attention-online-shoppers-dont-be.html
Comments