A widespread and highly sophisticated web skimming campaign has been actively stealing credit card information from online checkout pages since early 2022. This long-running operation, operating under the umbrella term "Magecart," targets major payment networks, putting millions of online shoppers and e-commerce businesses at significant risk.

Key Takeaways

• A sophisticated Magecart campaign has been active since January 2022, targeting major payment networks.

• The campaign injects malicious JavaScript into e-commerce checkout pages to steal credit card details and personal information.

• Attackers employ advanced evasion techniques to avoid detection by website administrators and security measures.

• The stolen data includes names, phone numbers, email addresses, shipping addresses, credit card numbers, expiration dates, and CVV codes.

The Magecart Threat

Magecart refers to a category of client-side attacks where malicious JavaScript code is injected into legitimate e-commerce websites. This code stealthily harvests sensitive data, such as credit card numbers, expiration dates, and CVV codes, as unsuspecting users enter them during the checkout process. Initially associated with groups targeting Magento-based stores, the term now broadly describes various web-skimming operations across different e-commerce platforms.

Advanced Evasion Tactics

The attackers behind this campaign demonstrate a high level of technical expertise, particularly in evading detection. The malicious JavaScript includes features designed to detect if a website administrator is logged in by checking for specific elements like the "wpadminbar" in WordPress sites. If detected, the skimmer initiates a self-destruct sequence, removing itself from the page to avoid discovery. Furthermore, the skimmer checks for a flag indicating a successful skim, preventing it from running multiple times on the same victim.

Deceptive Payment Forms

A key tactic employed by the skimmer is the creation of a convincing fake payment form. It hides the legitimate payment interface, such as Stripe's, and replaces it with a malicious iframe that mimics the authentic form. This fake form includes sophisticated validation features, like automatic card brand detection and proper formatting, making it virtually indistinguishable from the real one. Once a victim enters their details and submits the fake form, the skimmer captures the information.

Data Exfiltration and Impact

Beyond payment details, the skimmer also harvests names, phone numbers, email addresses, and shipping addresses. The stolen data is then encrypted and transmitted to attacker-controlled servers. After successful exfiltration, the skimmer cleans up its traces, restoring the legitimate payment form and simulating an error message to make the victim believe they entered their details incorrectly. This often leads users to re-enter their information into the actual form, unaware their data has already been compromised. The campaign has targeted major payment providers including American Express, Diners Club, Discover, JCB, Mastercard, and UnionPay, impacting enterprise organizations that are clients of these providers.

Sources

• Long-Running Web Skimming Campaign Steals Credit Cards From Online Checkout Pages, The Hacker News.

• Online shoppers at risk as Magecart skimming hits major payment networks, Malwarebytes.

• New Magecart Campaign Steals Credit Card Details During Online Checkouts, GBHackers News.

• Magecart network targeted Amex, Diners Club, MasterCard since 2022, SC Media.

• New Magecart Attack Steals Customers Credit Cards from Website Checkout Pages, Cyber Security News.