Cyber Security News

New Skimmer Malware Steals Credit Card Data From Checkout Pages

A JavaScript-based malware targeting Magento eCommerce websites has been identified, which is designed to skim payment card details and activates exclusively on checkout pages. 

The malware dynamically generates a fraudulent credit card form or directly extracts sensitive payment information, where the stolen data is encrypted and transmitted to a remote server. 

The attack vector involves both filesystem and database infiltration, and the malware employs sophisticated obfuscation techniques to evade detection.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

Currently, eight websites are confirmed to be infected, with two associated domains already blacklisted by VirusTotal.

Details of malware

Upon investigation, it was discovered to be a malicious script that originated from the blacklisted domain “dynamicopenfonts.app” and was found on a Magento website. 

It was found embedded in two locations: within the “default.xml” file located under the Magento theme directory (./app/design/frontend/Magento/[Redacted]/Magento_Theme/layout/default.xml) and also referenced within the “core_config_data” database table. 

It is necessary to conduct additional research in order to locate and eliminate the malicious script completely, as this indicates the possibility of code injection

The malicious script, embedded within an XML file’s <referenceContainer> directive, targets web pages with “checkout” in the URL but excludes those containing “cart.” 

By loading just before the closing </body> tag, it is designed to activate under specific conditions, which likely indicates a potential credit card skimming attack, aiming to capture sensitive payment information from unsuspecting users during the checkout process.

Fake Credit Card Form Example

With the help of Magento APIs, the malicious script is able to extract sensitive credit card details from a checkout page and also collect additional user information. 

The collected data, including personal details and financial information, is then processed through a series of steps to obscure its content: first, it’s encoded as JSON, then XOR-encrypted with a specific key, and finally Base64-encoded for secure transmission.

Malware extracts and encrypts stolen payment details like credit card information from compromised online forms, which is then covertly transmitted to a remote server at hxxps://staticfonts[.]com using a beaconing technique. 

the encrypted data is Base64-encoded to ensure safe transmission

According to Sucuri, beaconing involves a script silently sending data from the user’s device to the server without interrupting their activity, making it a stealthy method for exfiltrating stolen information. 

Magento checkout pages are vulnerable to sophisticated skimmers that inject fake forms or extract live input fields, stealing sensitive payment data.

To mitigate this risk, consistently update the site and apply security patches, or deploy a WAF for virtual patching. 

Regularly review and strengthen admin account passwords, implement file integrity monitoring to detect unauthorized changes, and deploy a robust WAF to block malicious traffic and prevent hacking attempts.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick to…

2 days ago

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using compromised…

2 days ago

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign targeting…

2 days ago

North Korean IT Workers Penetrate Global Firms to Install System Backdoors

In a concerning escalation of cyber threats, North Korean IT operatives have infiltrated global companies,…

2 days ago

REF7707 Hackers Target Windows & Linux Systems with FINALDRAFT Malware

Elastic Security Labs has uncovered a sophisticated cyber-espionage campaign, tracked as REF7707, targeting entities across…

2 days ago

NVIDIA Container Toolkit Vulnerable to Code Execution Attacks

NVIDIA has issued a critical security update to address a high-severity vulnerability discovered in the…

2 days ago