Security experts from SanSec, warn of a multi-platform credit card skimmer that targets online stores running on Shopify, BigCommerce, Zencart, and Woocommerce.
Expert says that this skimmer shows a fake payment form that was designed to record customer keystrokes before they enter the actual checkout page.
Once the customers have provided their credit card details, the skimmer will throw an error message saying “Paypal Checkout failed processing your order. You will be redirected to Shopify Checkout” and the customer is redirected to the real payment page:
Fake Checkout Form
“Notably, so many different platforms are compromised in the same campaign. Hackers might have breached a shared component used by all affected merchants”, say the researchers from SanSec.
This multi-platform skimmer uses programmatically generated exfiltration domains. It keeps a counter and uses base64 encoding to produce a new domain name. This will lead to, for example, these exfiltration domains (zg9tywlubmftzw5ldza[.]com, zg9tywlubmftzw5ldze[.]com, and so on).
Therefore, this campaign shows that platforms are no boundary to the profitable fraud of online skimming. Wherever customers enter their payment details, they are in danger. Merchants should implement measures to actively counter this.
Sansec researchers have spotted multiple Magecart campaigns using new evasion techniques. In early December they have revealed a campaign that was hiding the malware in CSS files. The experts analyzed multiple Magecart attack techniques over the past months, attackers compromised websites by hiding malicious code in multiple components of the sites, including live chat windows, images, and favicons.