Amid the excitement for Black Friday, cybercriminals are rolling out schemes to trick consumers into sharing their card credentials and profiting from the shopping season. In one skimming operation that was seen, threat actors faked a retailer’s third-party payment service platform (PSP), resulting in a hybrid skimmer-phishing page. Another campaign used redirection malware on WordPress websites so that users would land on their malicious phishing page.
The first skimming scheme was uncovered by researchers from Malwarebytes. For some retailers and e-commerce companies, redirecting users to a website run by a partner PSP is a relatively common practice. However, cybercriminals behind the uncovered campaign swapped the legitimate page with a fraudulent copy, so that customers would enter their financial information on the fraudulent one. The information would then be exfiltrated to the cybercriminal’s controlled server.
The page was designed to target customers of a store in Australia that runs the PrestaShop Content Management System (CMS) and uses the Commonwealth Bank platform for payments. The hybrid skimmer-phishing page itself is a copy of the legitimate CommWeb payment processing page of the Commonwealth Bank in Australia. Researchers also noted how the fraudulent page even made sure that users fill in all the data fields with valid entries, alerting users if they had entered wrong information or missed a field.
The second scheme was discovered by a Trend Micro researcher who found certain WordPress sites infected with a redirection malware that could lead users to a phishing site. The affected websites were from smaller companies and hobby sites. The malware redirects the infected website’s visitors to a chain of websites and land on three main sites. Mac users could land on a site prompting them to scan their device for malware. Others could land on a page that advertises a chance to win a Samsung Galaxy phone. While another is a phishing website, again one that would steal user financial information.
The researcher noted that a few users have fallen for the scheme, but it is gaining some traction.
These two cases show how threat actors use creative means to hide their schemes and trick even the most vigilant of users. They are learning to avoid the usual indicators of fraudulent activity like typos, and grammatical errors, by either coming up with new ways to distribute their phishing pages or using them in combination with other techniques.
With Black Friday only days away, consumers and retailers might be faced with more of these campaigns as the shopping season progresses. Other skimming campaigns could target other industries and services.
During this season, organizations should monitor and check their external websites, especially those that involve online transaction to quickly pick up when redirection schemes and the likes are victimizing their customers. Consumers should be cautious when conducting online transactions, not only paying close attention to phishing indicators but unusual behaviors like multiple redirections as well.
The following Trend Micro solutions protect users and businesses by blocking the scripts and preventing access to the malicious domains:
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.