Card Not Present Fraud , Cybercrime , Fraud Management & Cybercrime

Video Conference Firm Targeted for Payment Card Skimming

Malwarebytes Says PlayBack Now Customer Sites Compromised
Video Conference Firm Targeted for Payment Card Skimming
Circled is the line of JavaScript indicating the website is compromised. (Source: Malwarebytes)

While most payment card skimming attacks zero in on ecommerce sites for consumers, a newly discovered attack targeted PlayBack Now, an online video conferencing firm, Malwarebytes reports.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

PlayBack Now was hit with a two-pronged attack designed to steal payment card and other information from the company's customers who uses websites created by the firm, according to Malwarebytes. Fraudsters created a typosquatting-based website as an obfuscation tool to fool site administrators. And they injected a JavaScript skimmer into the Magento e-commerce platform within the websites PlayBack Now built for its customers.

About 40 PlayBack Now customers, including the National Association of Realtors, American Diabetes Association and the American College of Physicians, have been affected by the scam, but the number of their clients that may have had data compromised is not known. Information stolen includes cardholder names, credit card numbers, expiration dates and the card's CVV, according to Malwarebytes.

The attackers have not been identified as being members of a group that falls under the Magecart umbrella of card-skimming gangs. But their use of a JavaScript skimmer is similar to the Magecart aproach (see: Magecart Group Hits Small Businesses With Updated Skimmer).

Typosquatting Attack

PlayBack Now creates websites for its customers, who then use them to host virtual conferences or to play purchased content. The fraudsters installed JavaScript skimmers inside some of these sites.

Malwarebytes created a fake website to facilitate the skimmer installation. The site's home page acted only as a placeholder that enabled the attackers to use its URL to hide the JavaScript skimmer inside the customer sites, according to the report.

"The typosquatting is meant to deceive site administrators reviewing the page's source code, rather than shoppers typing in the wrong address,” Jerome Segura, director of threat intelligence at Malwarebytes, tells Information Security Media Group. “The whole idea is to inject a malicious line of code using a domain name that looks like the real one. If you're not paying too much attention you might think that this link is legitimate."

When a PlayBack Now customer purchased a course or conference recording via an infected website, their personal and credit card data was leaked to criminals via the same malicious domain housing the skimmer, according to Malwarebytes.

Malwarebytes disclosed the following information on the fake website the fraudsters used to facilitate skimmer installation:

  • Domain name: playbacknows.com;
  • Creation Date: 2020-09-21T20:22:10.00Z;
  • Registrar: NAMECHEAP INC;
  • Registrant Name: WhoisGuard Protected;
  • Registrant Street: P.O. Box 0823-03411;
  • Registrant City: Panama.

Accessing PlayBack Now

Malwarebytes says it's possible the attackers may have used the Golang brute force tool, or the initial breach may have exploited a Magento vulnerability.

The researchers noted thousands of Magento content management systems were attacked after the release of the Golong exploitation tool (see: Payment Card Skimming Hits 2,000 E-Commerce Sites).

A spokesperson for PlayBack Now did not immediately reply to a request for comment.


About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.