Account Takeover Fraud , Card Not Present Fraud , Cybercrime
Card Stealer Malware Uses New Evasion Technique
JavaScript Loaded by Malware From Blocked DomainsA new card stealer malware campaign that loads JavaScript malware from blocked domain lists to evade detection is targeting e-commerce sites that run Adobe's Magento software, security firm Sucuri reports.
See Also: OnDemand: Assuming control | Can AI reach Autonomous Levels?
Sucuri says one of its clients reported receiving warnings from its antivirus program when navigating to its checkout page. Researchers then found that threat actors were loading the JavaScript from at least 60 blocked domains that had been blacklisted for distributing carding malware.
The threat actors further obfuscated the malicious script by making it appear as if JavaScript tied to a website animation component.
"At first glance, it looks like some sort of obfuscated JavaScript related to animation, which isn’t all that uncommon to see and often looks malicious when it’s really quite benign," the researchers note. "However, upon closer inspection we uncovered that this was actually the payload of the infection."
The researchers determined that the malware consisted of three main components: an obfuscation payload, decryption function and execution of decryption call.
"This example showed a creative use of animation CSS styles and the onanimationstart [an event handler for animationstart events]," the report notes. "It allowed the attackers to avoid the use of simple script tags, which is the first thing that security analysts check when searching for a JavaScript injection in Magento environments."
JavaScript Skimming
Many e-commerce sites have been hit by JavaScript card stealer campaigns.
For instance, in May, Magecart Group 12 used an updated attack technique to gain remote administrative access to sites that run an older version of Adobe's Magento software, Malwarebytes Labs’ Threat Intelligence Team reported (see: Magecart Skimming Tactics Evolve).
In September 2020, researchers warned that about 2,000 sites that use the 12-year-old Magento 1 e-commerce platform had been targeted by JavaScript skimmers designed to steal payment card data during the online checkout process (see: Payment Card Skimming Hits 2,000 E-Commerce Sites).
Adobe Magento is one of the world's most widely used e-commerce platforms, with about 250,000 users, according to Adobe's website.