Researchers found compromised checkout pages on shopping websites that were skimming customers’ debit and credit card information on Magento-based payment forms. Analysis showed that while this Magecart group infected all the PHP pages of the compromised websites, the phishing form only appears on the checkout page with their own card information fields and triggers data exfiltration. After a successful referrer check, obfuscated scripts can validate and exfiltrate the data to the cybercriminals’ malicious domain via POST request. Users are advised to look for suspicious and redundant information requests as this group may be using the collected information for more malicious activities.
Jerome Segura of Malwarebytes found the suspicious activity in a web crawl of a Magento-based website, and noted the phishing form still having the PayU shopper page redirect instructions despite the presence of the credit card information fields on the same page. Further analysis showed that while all the PHP pages of the website were injected with malicious code, it is only triggered if the user is in the shopping cart checkout page with the URL onestepcheckout in the address bar. The cybercriminals load their own iframe to collect credit card data, validating the information before exfiltration.
Online business owners can protect themselves from this threat with these best practices:
Check the security measures established by third party suppliers, as well as their cybersecurity policies and procedures for incidents.
Regularly check and download the latest patches available, especially for customer-facing pages and applications.
Employ multiple authentication systems to prevent unauthorized access.
Online shoppers are advised to be vigilant and follow these best practices:
Note all the information requested during all online transactions.
Be suspicious of repeated requests for sensitive information, and confirm with the online merchant the purpose of the requests.