New Skimmer Malware Steals Credit Card Info from Checkout Pages

Magecart cyberattacks target Magento eCommerce platforms, injecting malicious JavaScript code that compromises checkout pages, steals payment card data, encrypts it, and exfiltrates to a remote server for subsequent misuse. 

Researchers discovered sophisticated malware targeting Magento checkout processes by employing advanced obfuscation to evade detection, compromising both the filesystem and database.

Infection source

On the basis of their blocklist, VirusTotal has identified two domains as malicious. However, public reports indicate that these domains may be infecting websites with malware. 

They flagged a malicious script from blacklisted domain dynamicopenfonts.app in a Magento store’s layout file (default.xml) and database configuration (core_config_data table).

Malware details

The XML file contained a malicious <referenceContainer> directive, which loaded an obfuscated JavaScript script just before the closing </body> tag, potentially compromising the system.

It executes a function that checks the URL for the word “checkout” but excludes URLs containing “cart,” which ensures that the script’s actions are limited to specific checkout pages, preventing unintended behavior on other pages.

The script harvests sensitive credit card and user data from Magento’s checkout page, which encodes the stolen data as JSON, XOR-encrypts it with the key ‘script’, and Base64-encodes it for secure transmission.

Fake Credit Card Form Example

Malware in compromised forms extracts and encrypts stolen payment details, then uses beaconing to transmit the base64 encoded data to a remote server likely hosting on staticfonts.com.

Beaconing is a covert technique where scripts or programs silently transmit data from user devices to remote servers without user awareness, which is exploited by both legitimate and malicious entities, making it a preferred tool for cyberattacks.

Magecart-style skimmer targets Magento checkout pages to steal payment data via form injection or input field extraction, where the threat actor employs dynamic techniques and encryption to evade detection, necessitating proactive security measures like regular audits, anomaly monitoring, and WAF deployment.

According to Sucuri, to enhance website security, regularly update software and plugins, and use strong, unique passwords for admin accounts. Alternatively, deploy a WAF for additional protection against vulnerabilities.

While to safeguard website integrity and prevent unauthorized access, implement file integrity monitoring to promptly detect file modifications and deploy a web application firewall to filter malicious traffic, thus enhancing overall system security.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here