Hackers Inject Skimmer Iframe in Shopping Sites to Steal Payment Information

Magento skimmer injected iframe shopping phishingResearchers found compromised checkout pages on shopping websites that were skimming customers’ debit and credit card information on Magento-based payment forms. Analysis showed that while this Magecart group infected all the PHP pages of the compromised websites, the phishing form only appears on the checkout page with their own card information fields and triggers data exfiltration. After a successful referrer check, obfuscated scripts can validate and exfiltrate the data to the cybercriminals’ malicious domain via POST request. Users are advised to look for suspicious and redundant information requests as this group may be using the collected information for more malicious activities.

[Read: Mirrorthief group uses Magecart skimming attack to hit hundreds of campus online stores]

Jerome Segura of Malwarebytes found the suspicious activity in a web crawl of a Magento-based website, and noted the phishing form still having the PayU shopper page redirect instructions despite the presence of the credit card information fields on the same page. Further analysis showed that while all the PHP pages of the website were injected with malicious code, it is only triggered if the user is in the shopping cart checkout page with the URL onestepcheckout in the address bar. The cybercriminals load their own iframe to collect credit card data, validating the information before exfiltration.

Once validated, an external JavaScript is loaded from thatispersonal[.]com. Directly browsing the URL without the referer will load a decoy script, and the complete script is heavily obfuscated. Data exfiltration is only triggered once the shopper is on the cart checkout page with the correct referer and the iframe-box for data harvesting, loading another obfuscated script that checks and sends the data. Segura noted that considering online merchants depend on payment service providers (PSP) to gather transaction information securely, users should consider having to enter payment information twice as a red flag.

[Read: MagentoCore payment card data stealer uncovered on 7,339 Magento-based websites]

Compared to Magecart groups’ usual attacks on online stores using overlays or injected Javascript payment credentials skimmers, an iframe-based supply chain attack can be more damaging as it potentially affects more stores, yields more user information for attackers, immediately sends payment information to cybercriminals, and can be discovered only after some time has passed. Further, as online merchants depend on PSPs for regulatory compliance and transaction security, compromise on these websites not only steal their customers’ information for more nefarious activities beyond e-commerce, but also undermines the credibility of these merchants to the users they serve.

Online business owners can protect themselves from this threat with these best practices:

  • Check the security measures established by third party suppliers, as well as their cybersecurity policies and procedures for incidents.
  • Regularly check and download the latest patches available, especially for customer-facing pages and applications.
  • Employ multiple authentication systems to prevent unauthorized access.

Online shoppers are advised to be vigilant and follow these best practices:

  • Note all the information requested during all online transactions.
  • Be suspicious of repeated requests for sensitive information, and confirm with the online merchant the purpose of the requests.

The following Trend Micro solutions, powered by XGen™ security, protect users and businesses by blocking the scripts and preventing access to the malicious domains: Trend Micro™ SecuritySmart Protection Suites and Worry-Free™ Business SecurityTrend Micro Network Defense, and Hybrid Cloud Security.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.