Saturday, December 7, 2024
HomeCyber Security NewsNew Skimmer Malware Steals Credit Card Data From Checkout Pages

New Skimmer Malware Steals Credit Card Data From Checkout Pages

Published on

SIEM as a Service

A JavaScript-based malware targeting Magento eCommerce websites has been identified, which is designed to skim payment card details and activates exclusively on checkout pages. 

The malware dynamically generates a fraudulent credit card form or directly extracts sensitive payment information, where the stolen data is encrypted and transmitted to a remote server. 

The attack vector involves both filesystem and database infiltration, and the malware employs sophisticated obfuscation techniques to evade detection.

- Advertisement - SIEM as a Service

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

Currently, eight websites are confirmed to be infected, with two associated domains already blacklisted by VirusTotal.

Details of malware

Upon investigation, it was discovered to be a malicious script that originated from the blacklisted domain “dynamicopenfonts.app” and was found on a Magento website. 

It was found embedded in two locations: within the “default.xml” file located under the Magento theme directory (./app/design/frontend/Magento/[Redacted]/Magento_Theme/layout/default.xml) and also referenced within the “core_config_data” database table. 

It is necessary to conduct additional research in order to locate and eliminate the malicious script completely, as this indicates the possibility of code injection. 

The malicious script, embedded within an XML file’s <referenceContainer> directive, targets web pages with “checkout” in the URL but excludes those containing “cart.” 

By loading just before the closing </body> tag, it is designed to activate under specific conditions, which likely indicates a potential credit card skimming attack, aiming to capture sensitive payment information from unsuspecting users during the checkout process.

Fake Credit Card Form Example

With the help of Magento APIs, the malicious script is able to extract sensitive credit card details from a checkout page and also collect additional user information. 

The collected data, including personal details and financial information, is then processed through a series of steps to obscure its content: first, it’s encoded as JSON, then XOR-encrypted with a specific key, and finally Base64-encoded for secure transmission.

Malware extracts and encrypts stolen payment details like credit card information from compromised online forms, which is then covertly transmitted to a remote server at hxxps://staticfonts[.]com using a beaconing technique. 

 the encrypted data is Base64-encoded to ensure safe transmission

According to Sucuri, beaconing involves a script silently sending data from the user’s device to the server without interrupting their activity, making it a stealthy method for exfiltrating stolen information. 

Magento checkout pages are vulnerable to sophisticated skimmers that inject fake forms or extract live input fields, stealing sensitive payment data.

To mitigate this risk, consistently update the site and apply security patches, or deploy a WAF for virtual patching. 

Regularly review and strengthen admin account passwords, implement file integrity monitoring to detect unauthorized changes, and deploy a robust WAF to block malicious traffic and prevent hacking attempts.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Latest articles

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...