Card Not Present Fraud , Cybercrime , Fraud Management & Cybercrime

New Skimmer Attack Steals Data From Over 100 E-Commerce Sites

Malicious JavaScript Steals Credit Card Data
New Skimmer Attack Steals Data From Over 100 E-Commerce Sites

A new skimmer attack that has injected malicious JavaScript into the payment sections of 105 ecommerce websites is stealing credit card and other customer data, security researchers warn.

See Also: OnDemand | Preventing Ecommerce Fraud while Removing User Friction

Researchers at the Chinese IT firm Qihoo 360 Netlab write in a blog that this attack, which has been ongoing for about five months, has affected sites that sell a range of consumer goods, including high-end handbags, mountain bikes, baby products, wine and electronics.

This scheme involves a malicious domain name called magento-analytics[.]com, which Netlab researchers first noticed in October 2018 and have been tracking ever since. The attackers are apparently trying to disguise themselves by using a name that closely resembles Magento, a content systems management platform owned by Adobe and used by thousands of online retailers.

This is the second time in a week that security researchers have uncovered a skimmer attack targeting ecommerce websites. On May 3, Trend Micro described the activities of a new group called Mirrorthief, which targeted online campus stores in both the U.S. and Canada (see: JavaScript Sniffer Attacks: More Online Stores Targeted).

Many other attacks using skimmers, also called JavaScript sniffers, are closely associated with an umbrella group called Magecart, which has increased its activity over the last year (see: Magecart Nightmare Besets E-Commerce Websites).

While Netlab doesn't mention Magecart in its report, the new attack it describes bears all the hallmarks of the group, says Yonathan Klijnsma, a threat researcher at RiskIQ who has been tracking Magecart and skimmer attacks over the last several months.

"It is exactly the same," Klijnsma tells Information Security Media Group. "This isn't a new style of attack; it's just another skimmer. The skimmer used here comes from a kit you can buy to start your web-skimming empire. We've seen the same code on a lot of other websites but served from many different domains because of the skimmer's accessibility."

Researchers believe Magecart-related groups have been responsible for attacks against British Airways, Ticketmaster, Newegg and other sites (see: Magecart Cybercrime Groups Harvest Payment Card Data).

Payment Sites in the Crosshairs

Over the last 12 months, criminal gangs have used skimmers or JavaScript sniffers in a series of attacks to steal credit card numbers and then sell them on dark net sites.

One reason that skimmers and JavaScript sniffers are gaining in popularity is that they are inexpensive to buy or develop, are difficult to remove once installed on a target site, and can be tailored to different needs and specific attacks, according to Group-IB, which has published extensive research on these malicious tools (see: E-Commerce JavaScript Sniffer Attacks Proliferate: Report).

These tools work in much the same way as a credit card skimmer. But instead of physically attaching a device to an ATM, a JS sniffer uses a few lines of code injected onto an e-commerce site to skim data that consumers use to buy goods. The malware is available for purchase for $250 to $5,000 on underground forums, the Group-IB analysis found.

In this latest case, Netlab researchers were able to track how the malicious JavaScript works on sites that were infected. In most cases, these skimmers are designed to steal credit card data, including the customer's name, card number, expiration date and CVV information.

Skimmer stealing credit card data during checkout (Image: Netlab)

In an example that Netlab researchers show, the malicious JavaScript runs in the background until the customer goes to the "Payment Information" page. Once the CVV information for the credit card is inputted, the malicious code sends the stolen data to the attack group.

Malicious Domain

At the heart of this new attack is the magento-analytics[.]com domain that Netlab researchers have tracked for several months. Originally registered in Panama, the IP address has moved several times to such far-flung locations as Arizona, Moscow and Hong Kong, according to the research.

From a regular browser, the magento-analytics[.]com domain returns a 403 page, and a Google search doesn't produce any answers either. But Netlab researchers were able to track the domain and study it.

In their analysis, the researchers note that the domain name has been hosting JS scripts since the beginning of December 2018. Once the JavaScript is loaded onto a site, the script attempts to skim credit card and other data every 500 milliseconds. And once it collects that information, it sends it back the gang controlling the attack, the Netab researchers report.

The legitimate Magento platform is a frequent target of Magecart and other groups due to its popularity with online retailers, according to research published by RiskIQ and Group-IB. One of the skimmers that these groups use is called MagentoName because it is designed to take advantage of vulnerabilities in older versions of the Magento content management system.

"For the most part, these attacks are relatively easy to undertake with a low bar of entry in terms of criminal sophistication," Klijnsma of RiskIQ says. He urges online retailers to update and patch their content management platforms to avoid these types of attacks.


About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the GovInfoSecurity.com media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and DevOps.com.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.