Don’t Be Fooled by Their Sleek and Modern Appearance — It’s Magecart!
A sustainable Magecart the campaign has caught the attention of cybersecurity researchers for leveraging realistic-looking fake payment screens to capture sensitive data entered by unsuspecting users.
“The threat actor used the original logo of the compromised store and customized web elements known as modals to perfectly hijack the checkout page,” Jérôme Segura, director of threat intelligence at Malwarebytes, said. “The great thing here is that the skimmer looks even more authentic than the original checkout page.”
Condition Magecart is a catch-all referring to several cybercrime groups that use online skimming techniques to steal personal data from websites – most commonly, customer details and payment information on e-commerce websites.
The name comes from the group’s initial targeting on the Magento platform. Based on data shared by Sansec, the first Magecart-like attack was observed in early 2010. By 2022, more than 70,000 stores are estimated to have been compromised with web skimmers.
The latest iteration, as observed by Malwarebytes of an unnamed Paris travel accessories shop running on CMS PrestaShop, involves injection of a skimmer named Kritec to intercept the payment process and show victims a fake payment dialog.
Kritec, previously detailed by Akamai And Malwarebytes in February 2023, it was found to have impersonated legitimate third-party vendors such as Google Tag Manager as an evasion technique.
The cybersecurity firm says the skimmer is complex and highly obfuscated, with malicious modals loaded when selecting a credit card as a payment option from compromised websites.
Once the payment card details are collected, a fake error message about canceling the payment is briefly shown to the victim before being redirected to the actual payment page, where the payment will be made.
“The skimmer will drop a cookie which serves as an indication that the current session is marked complete,” explains Segura. “If the user comes back and tries to make a payment again, the malicious modal will no longer be shown.”
Learn How to Stop Ransomware with Real-Time Protection
Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.
The threat actor behind the operation is said to be using a different domain to host the skimmer, which is similarly named: “(store name)-loader.js,” indicating that the attack is targeting a different online store with a specific modal.
“Distinguishing whether online stores can be trusted becomes very difficult and this case is a good example of a skimmer not arousing suspicion,” said Segura.
These findings come more than two months after Malwarebytes excavated another web skimmer that collects browser fingerprinting data, such as IP addresses and User agent string, along with credit card information, possibly in an attempt to monitor invalid users such as bots and security researchers.