Magecart Skimmer Checkout Page Dupes Victim Store Forms
It’s becoming harder to distinguish a fake form generated in Magecart skimmer scams from the real deal thanks to a modal, a highly customized web element, that appears to be a legit checkout page but ultimately nicks credit card information.
“While following up on an ongoing Magecart credit card skimmer campaign, we were almost fooled by a payment form that looked so well done we thought it was real,” researchers at Malwarebytes wrote in a blog post. “The threat actor used original logos from the compromised store,” then customized a modal.
Noting that inserting frames or layers is not a new technique, the researchers said what sets “one of the most active Magecart attacks” they’ve tracked recently apart from others “is that the skimmer looks more authentic than the original payment page.” They also spotted many other “compromised sites when the same pattern of using a custom-made and fraudulent modal.”
Malwarebytes researchers first saw evidence of the Magecart campaign at a compromised website for a Parisian travel accessory store run on the PrestaShop CMS. “A skimmer we previously identified as Kritec was injected and loading malicious JavaScript that altered the checkout process,” they wrote.
“The modal disables and grays out the background so that the user can focus on the presented element instead,” they said, explaining that it “is an elegant way for website owners to keep their customers on the same website and have them interact with another form.”
In this case, the merchant’s actual payment flow redirected users “to a third-party processor hosted by Dalenys, part of French payment solutions company Payplug,” Malwarebytes explained. The webpage is loaded for the payment processor, so the user just enters their banking information and once that’s validated, sends them back to the merchant page.
“The malicious modal is built very cleanly and contains an animation that displays the store’s logo in the middle and then moves it back up,” the researchers wrote, grudgingly lauding the prowess of the threat actors.
“We have to give credit where credit is due: This is a very well-done skimmer that is actually a smoother user experience than the store’s default,” they said. “We should also note that the malware author is not only well-versed in web design, they also use proper language (French) for each form field.”
Despite the talents of the attackers, the research found “a small mistake in the hyperlink for Politique de confidentialité,” or terms of use. “That link redirects to the terms of use for Mercardo Pago, a payment processor used in South America,” they said. “It is likely the threat actor copied the data from a previous template and did not notice their mistake,” which did not in any way affect the functionality of the skimmer.
The researchers viewed the legitimate sequence by blocking “the skimmer when requesting the e-commerce page,” they said. “We simply blocked the connection to the malicious domain where the skimmer is hosted. As a result, the website will display what the original payment form should be (prior to the compromise).”
Malwarebytes says the Kritec skimmer likely “is part of the same compromises with injections into vulnerable websites where malicious code is placed within the Google Tag Manager script.” Multiple threat actors may also be involved in those campaigns and are customizing skimmers to fit their campaigns.
The custom modals seem to have been created within the last two months, although a generic skimmer was used in many of the stores that were hacked.
“The threat actor is using different domains to host the skimmer but names them in a similar way: [name of store]-loader.js,” the researchers said.
“This technique is more than a decade old. Poor security controls and overall hygiene of websites have been a constant challenge,” said Roy Akerman, co-founder and CEO at Rezonate, who explained that there are protocols that can provide ways to avoid tampering by hackers during the purchase state, “regardless of whether the website was breached, or any MITM (man-in-the-middle) attempts from a compromised endpoint was able to hijack a session and steal information.”
Akerman suggested that users could protect themselves in a number of ways, including attempting to enter incorrect information. “Assuming the look and feel is flawless and you had a reason to go into that site and did not receive a phishing email/smishing SMS as a trigger point, you could also try first to fake your credit info as a first step and see if you hit an alert/or are able to pass through,“ he said.
Baber Amin, COO at Veridium, suggested that the following approaches also could help thwart Magecart attacks:
“It is important for website administrators to stay up-to-date with their content management system’s patches and plugins, and buying from reputable online vendors is the best option for end-users,” said Amin. “But users also should, if possible, use virtual cards online, use unique usernames and passwords on each site if they must create an account.”
Amin added that, if a store offers PayPal during checkout, use it, as it creates an indirect level of payment. A better solution is to use services like Apple Pay and Google Pay, which use tokenization to replace sensitive information with arbitrary tokens, Amin said.
“Since these tokens disappear after each authorization, they cannot be reused if stolen. The other advantage of these services is that they work both in-person and for online shopping. EMV or chip cards are reduced to the security of the older non-chip card when paying online, as there is no chip reader available.”
