Hackers Steal Over 50,000 Payment Card Records Using E-Skimmer From Over 300 Restaurants

Two web-skimming Magecart campaigns that targeted three different online ordering platforms have stolen payment card details from more than 310 restaurants.

It was determined that in total, 50,000 payment cards were taken, and as a result, they are already in the process of being sold on a number of dark-web marketplaces. 

When an online shopper types their credit card information on the checkout page, the Magecart malware, which is usually JavaScript code, collects the data.

Infection on MenuDrive platform showing the e-skimmer JavaScript (BLUE)

The target audience of the presentation will be fraud and CTI teams within financial institutions and security professionals within the e-commerce sector.

The following Magecart campaigns were identified by Recorded Future’s threat detection tools, and here are the portals below:-

  • MenuDrive
  • Harbortouch
  • InTouchPOS


According to theRecord Future report, On January 18, 2022, the initial campaign was started that hit several restaurants, and here below we have mentioned the key data:- 

  • Hit 80 restaurants using MenuDrive platform. 
  • Hit 74 restaurants using Harbortouch platform.

In the majority of cases, these restaurants are small establishments that are located all around the United States. It was injected into the restaurant’s website on both platforms so that the web skimmer would be picked up.

Two scripts were used in MenuDrive malware to steal payment card data and collect the following information about the cardholder:-

  • Name
  • Email address
  • Phone number

A single script was being used by the skimmer injected into Harbortouch to steal all information about the user and payment card information.

As of Nov 12, 2021, InTouchPOS is the target of a second campaign targeting the company. It was not until January 2022 that most of the injections of skimmer software were discovered on web pages.

Skimmers such as these have been linked to older campaigns that are still being carried out as a result of the artifacts that identify them.

Here, the skimmer uses a fake payment form to disguise itself as a legitimate target, so the details of the website are not stolen. 

In both campaigns, the corresponding exfiltration domains and the corresponding campaigns are still active and are running as planned. 

All entities impacted by the compromise have been informed of the compromise by the security firm. There has been no response yet to their request, however. But, the payment platforms and law enforcement agencies have been notified of the situation in accordance with their requirements.

While the MenuDrive and Harbortouch require the scanning of all restaurant subdomains in order to remove the skimmers from their software.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.