New Skimmer Malware Steals Credit Card Data From Checkout Pages

A JavaScript-based malware targeting Magento eCommerce websites has been identified, which is designed to skim payment card details and activates exclusively on checkout pages. 

The malware dynamically generates a fraudulent credit card form or directly extracts sensitive payment information, where the stolen data is encrypted and transmitted to a remote server. 

The attack vector involves both filesystem and database infiltration, and the malware employs sophisticated obfuscation techniques to evade detection.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

Currently, eight websites are confirmed to be infected, with two associated domains already blacklisted by VirusTotal.

Upon investigation, it was discovered to be a malicious script that originated from the blacklisted domain “dynamicopenfonts.app” and was found on a Magento website. 

It was found embedded in two locations: within the “default.xml” file located under the Magento theme directory (./app/design/frontend/Magento/[Redacted]/Magento_Theme/layout/default.xml) and also referenced within the “core_config_data” database table. 

It is necessary to conduct additional research in order to locate and eliminate the malicious script completely, as this indicates the possibility of code injection. 

The malicious script, embedded within an XML file’s <referenceContainer> directive, targets web pages with “checkout” in the URL but excludes those containing “cart.” 

By loading just before the closing </body> tag, it is designed to activate under specific conditions, which likely indicates a potential credit card skimming attack, aiming to capture sensitive payment information from unsuspecting users during the checkout process.

With the help of Magento APIs, the malicious script is able to extract sensitive credit card details from a checkout page and also collect additional user information. 

The collected data, including personal details and financial information, is then processed through a series of steps to obscure its content: first, it’s encoded as JSON, then XOR-encrypted with a specific key, and finally Base64-encoded for secure transmission.

Malware extracts and encrypts stolen payment details like credit card information from compromised online forms, which is then covertly transmitted to a remote server at hxxps://staticfonts[.]com using a beaconing technique. 

According to Sucuri, beaconing involves a script silently sending data from the user’s device to the server without interrupting their activity, making it a stealthy method for exfiltrating stolen information. 

Magento checkout pages are vulnerable to sophisticated skimmers that inject fake forms or extract live input fields, stealing sensitive payment data.

To mitigate this risk, consistently update the site and apply security patches, or deploy a WAF for virtual patching. 

Regularly review and strengthen admin account passwords, implement file integrity monitoring to detect unauthorized changes, and deploy a robust WAF to block malicious traffic and prevent hacking attempts.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar