Computer Security Magecart Card Skimmers Expand Attack Portfolio

Magecart Card Skimmers Expand Attack Portfolio

magecart-card-skimmer-scams-expandMagecart is not the name of a new online shopping cart API, but the name of a network of cybercriminals who have been stealing credit card credentials for a few years now. One of the groups comprising the larger network that is known by the name of Magecart has been recently spotted by security researchers to use a new method of attack.

Magecart now has the ability to inject retail websites with iframes that look like a regular credit card payment interface. The different approach used in this case is that Magecart doesn't scan for a legitimate payment form to substitute with one that can be skimmed. Instead, the iframe with the malicious payment form is dumped into the code of every PHP page but is only displayed when the page has a regular shopping cart check out form on it.

The malicious frame is formatted in a way that should be relatively obvious for experienced users, and they should be able to spot the issue right away, as the fields required are not found in any normal payment form. The process also tells the victim that they will be redirected to a third-party website where the transaction will be finalized - another giveaway that something is not quite right with the payment and the procedure used.

If all goes according to Magecart's plan, the page loads external JavaScript code from a domain registered by a Russian entity. This, of course, all happens without alerting a regular user in any way. Once the credit card information is scraped and collected by the bad actors, the unwitting customer is redirected to the legitimate checkout page from the retailer and has to re-enter their credit card information. This second step of doing essentially the same thing should be another red flag to tip users off that something is not right.

Loading...