Fresh Card Skimmer Attacks Multiple E-Commerce PlatformsResearcher: Malware Found On Several Large Content Management Systems
A recently uncovered payment card skimmer is targeting several large content management systems that support the online checkout pages of dozens of e-commerce sites, according to researchers with Dutch security firm Sansec.
To date, this new skimmer has been found on a dozen online stores' checkout pages that are supported by content management systems hosted on platforms from Shopify, BigCommerce, Zen Cart and WooCommerce, according to the report.
So far, Sansec has not directly tied this recently uncovered skimmer to one particular Magecart group. And while it’s not clear who is exactly behind this malware, the report notes that its operators have created an unusual skimmer that can target multiple content management systems all at once instead of individually.
How Skimmer Works
The Sansec report does not detail how the fraudsters using this payment skimmer initially compromise the content management system, such as by using other malware or taking advantage of a particular vulnerability.
Once the skimmer is planted on the site, the malware will display a fake payment form before the victim enters the actual checkout page. In one example that is designed to look like a PayPal account, the form asks for a billing address, ZIP code, credit card number and the name of the customer along with the CVV or CVC code.
The Sansec researchers also found that the malware will automatically create specific domains that will store the encrypted data using Base64 encoding, as well as create a way for the fraudsters to then exfiltrate the data later.
These automatically created domains first appeared on Aug. 31, which is believed to be the start date for this particular campaign, the report states.
"To summarize: this campaign shows that platforms are no boundary to the profitable fraud of online skimming," the Sansec researchers note. "Wherever customers enter their payment details, they are at risk."
In another instance, researchers with RiskIQ found a new variant of the Grelos skimmer that co-opted the infrastructure that Magecart uses for its own skimming attacks against e-commerce sites (see: Grelos Skimmer Variant Co-Opts Magecart Infrastructure).