Skimmer traffic capture Magecart groups actively diversifying their targets Next, the phished credit card gets validated and sent to the crooks' exfiltration server with the help of another obfuscated script via a POST request to the same Russian-hosted domain. The hackers first collect the data using the rogue iframe that gets created on the compromised using an obfuscated script loaded from thatispersonal com, a domain registered and hosted in Russia. If paying enough attention during the checkout process, customers can still detect when hackers want to steal their credit card info using this phishing method since the crooks haven't removed the "Then you will be redirected to PayuCheckout website when you place an order" message which should raise at least a couple of red flags.Īs Segura found out, the crooks injected all the pages of hacked Magento websites with this iframe-based credit card phishing script but the phishing form will only be displayed on the store's checkout page. However, the iframe-based skimming discovered by Segura one-ups Magecart Goup 4's devious strategy by displaying a credit card phishing form on the page where customers are redirected to the payment service provider (PSP), a place where online shops would never ask their users for payment info given that the payment process is externalized to the PSP. Magecart groups using phishing to steal credit card data is not revolutionary as detailed by RiskIQ's head of threat research Yonathan Klijnsma in a Magecart Group 4 overlay payment phishing system analysis from February, with the crooks replacing the legitimate payment form with their own. Skimmer acts as payment service provider via rogue iframe /wAAoxCcbsS In this case, as Malwarebytes security researcher Jérôme Segura discovered, the crims injected their credit card stealer scripts within every page of the hacked websites and configured it to pop-up as a phishing form asking the buyers to provide the info themselves.
Magecart groups usually inject JavaScript-based payment data skimmers within the code of the website, with the scripts collecting and exfiltrating payment information in the background and customers never even noticing that it happened. Cybercriminals have upgraded their credit card skimming scripts to use an iframe-based phishing system designed to phish for credit/debit card info from Magento-powered store customers on checkout.
0 kommentar(er)
