New Skimmer Malware Steals Credit Card Data From Checkout Pages

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

A new skimmer malware is targeting Magento-powered eCommerce websites, stealing sensitive credit card information from checkout pages. 

This malware dynamically creates a false credit card form or directly extracts payment fields, activating only on checkout pages.  Subsequently, the stolen information is encrypted and exfiltered to a remote server.

“This sophisticated skimmer targets Magento checkout pages to steal sensitive payment data, either by injecting fake forms or extracting live input fields”, Sucuri explains in its post.

“Its dynamic approach and encryption mechanisms make it challenging to detect”.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

Malware Stealing Credit Card Information

During a routine assessment, Sucuri security expert Weston Henry identified an attack where a malicious script was detected. The tool detected a resource originating from the blacklisted domain dynamicopenfonts.app. 

Three different domains were involved, including:

  • dynamicopenfonts[.]app
  • staticfonts[.]com
  • Static-fonts[.]com
The infection code

The external script’s contents are obfuscated to prevent discovery, making it difficult to recognize at first glance. Once executed, the script only activates on pages that have the word “checkout” but not “cart” in the URL.

Fake Credit Card Form Example

“The script is designed to extract sensitive credit card information from specific fields on the checkout page”, researchers explain.

The malware then uses Magento’s APIs to gather more user data, such as the user’s name, address, phone number, email, and other billing details. Magento’s customer-data and quotation models are used to obtain this information.

The information is initially encoded as JSON to protect it and make it hard to find. Then, to add an additional layer of obfuscation, it is XOR-encrypted using the key “script.”

Lastly, Base64 encoding is applied to the encrypted data to guarantee secure delivery.

Sending Stolen Information to Remote Servers

The malware harvests and encrypts the stolen data after a user enters their payment information via the hacked form or fields. A beaconing approach is then used to send this data to a remote server located at staticfonts.com.

A beaconing technique is a way for a program or script to communicate data from a client (such as the user’s browser or device) to a remote server in a silent and invisible manner without warning the user or interfering with their activities. 

The base64 encoded URL (aHR0cHM6Ly9zdGF0aWNmb250cy5jb20=) decodes to hxxps://staticfonts[.]com, which is where the stolen credit card data is sent.

To safeguard your eCommerce platform, it is therefore recommended that you do frequent security audits, keep an eye out for any strange behavior, and use a strong WAF.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar