Account Takeover Fraud , Cybercrime , Fraud Management & Cybercrime

Malicious Skimmer Code Piggybacks on Other Hackers' Code

Researchers Uncover the Tale of 2 Skimmers
Malicious Skimmer Code Piggybacks on Other Hackers' Code
Costway's French checkout site was injected with two JavaScript skimmers. (Source: Malwarebytes)

Malwarebytes researchers have uncovered unusual payment card skimming code designed to harvest data that is already being stolen by other hackers on a website.

"We have seen threat actors - and skimmers in particular - compete before, but not exactly in the same manner," Jérôme Segura, director of threat intelligence at Malwarebytes.

See Also: Check Kiting In The Digital Age

Malwarebytes found this unusual second layer of malicious code in the online checkout function of the French site for Costway, which sells furniture and appliances in North America and Europe.

Costway appears to be one of many e-commerce sites around the world that is still running an older version of Adobe's Magento software despite warnings from the software company to move to an updated version of the content management systems, the Malwarebytes report notes.

In September 2020, researchers warned that about 2,000 sites that use the 12-year-old Magento 1 e-commerce platform had been targeted by JavaScript skimmers designed to steal payment card data during the online checkout process (see: Payment Card Skimming Hits 2,000 E-Commerce Sites).

A Tale Of 2 Skimmers

Costway’s French, German, Spanish and British sites appear to have been targeted by the first skimmer in the fall of 2020, when other companies’ sites running Magneto 1 software were also compromised, according to the report.

The original JavaScript skimmer injected a fake payment form into the company's online checkout page and was harvesting payment card data, according to the report. This was first detected on Costway's French site - costway[.]fr.

At some point, a second skimmer was injected onto the already hacked French Costway site from a domain called "securityxx[.]top." The second skimmer did not seem to have the same level of access to the compromised platform as the first one, which might be one reason for the piggyback approach,” the researchers say.

"It's possible that the two threat actors' level of access to e-commerce sites differs," according to Malwarebytes. The initial hack in the fall of 2020 exploited a core vulnerability that granted them root access, while it appears the second hack perhaps can only perform specific types of injections. “If that is the case, this would explain why they simply leave the fake form alone and grab credentials from it," the report states.

Even when Costway upgraded to a new platform, the hackers wielding the second skimmer were prepared with other code that would compromise that content management system as well, the report notes.

"The [second] skimmer creates its own form fields which closely resembles the legitimate ones from the Adyen payments platform that Costway uses," according to Malwarebytes. "Visually, only a very small style change (font size) gives it away, but there are more significant implications under the hood."

From there, the hackers could continue to harvest payment card data, the report says.

Ongoing Attack

Malwarebytes’ researchers informed Costway about the original hack and the subsequent injections of malicious JavaScript into their sites. As of now, the company's French site remains infected with the second skimmer’s code, the researchers say.

A spokesperson for Costway was not immediately available for comment.

Criminals Compete

The increase in competition among cybercriminal gangs may be why one group decided to piggyback on the work of another, according to the report.

"The skimming space today is different than it was a few years ago," Segura says. "More threat actors are ranging from mere copycats to advanced attackers. Ultimately, that means we're going to see increased competition and specific measures put in place to guarantee exclusivity."

And while the Costway site is the only known example of this approach so far, Segura suspects other sites have been targeted and compromised with the same code.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.