Magecart, one of the cybercriminal groups, uses fake Google domains to host and download a skimmer with support for multiple payment gateways.
Experts from Sucuri conducted a study and found that one of the websites was infected with a skimmer to steal payment card data, downloading JavaScript code from the malicious internationalized google-analytîcs[.]com domain.“An interesting aspect of the JavaScript code is that it alters its behavior based on whether developer tools are open in Google Chrome or Mozilla Firefox. In fact, the malicious JavaScript doesn’t even exfiltrate any of the captured input data to the C2 server if developer tools are open. If the malicious code doesn’t detect developer tools in the browsing session, the stolen credit card information skimmed by the malware is categorized for exfiltration to a remote server”, — told Sucuri specialists.
Magecart is a term that unites several cybercriminal groups that specialize in implementing scripts to steal bankcard data in payment forms from the websites. They are responsible for attacks on companies such as Amerisleep, MyPillow, Ticketmaster, British Airways, OXO and Newegg.
Recently, researchers uncovered a malicious campaign in which attackers successfully hacked 962 e-commerce sites.
Attackers use internationalized domain names (IDN) to mask servers that host malicious content in order to hide traffic from malicious domains under packages delivered from legitimate sites.
Using IDN to mask a server is one of the popular tactics used by attackers in fishing campaigns.
Since there are certain characters that can look very similar, but have different ASCII codes (for example, “a” in Cyrillic and a Latin letter “a”), an attacker can “fake” the URL of a web page. Instead of moving to a legitimate website, users can be redirected to a malicious portal identical to the real one. This way criminals can collect personal or financial information and then use and/or sell it.
Read also: More than 23 million credit cards are sold on the darknet: what customers can do about it?
One of the distinctive features of the skimmer used in the new Magecart attacks is the ability automatically change its behavior if the site opens in Google Chrome or Mozilla Firefox browsers. In this case, in order to avoid detection, the skimmer will not send the collected data to the C&C server.
The Magecart skimmer script also supports dozens of payment gateways, indicating that criminals are thoroughly prepared for this campaign, say Sucuri experts.
How to protect yourself?
Credit card skimmers are not a new phenomenon. To protect your ecommerce website, we strongly encourage Magento site owners to install the latest security patches as soon as they become available. If you are unable to update your site, you can leverage a web application firewall to virtually patch any vulnerabilities.
