Black Friday: Malwarebytes Warns of Credit Card Skimming Surge

Written by

With Black Friday and Cyber Monday around the corner, anti-malware provider Malwarebytes has warned about the rise of credit card skimming.

This type of identity theft, where criminals steal credit card information from ATMs, other payment terminals or even compromised websites, is expected to rise over the next few weeks, Malwarebytes Labs said in a post published on November 14, 2023.

One specific credit card skimming campaign, Kritec, picked up the pace drastically in October after a lull during the summer.

What is the Kritec Skimming Campaign?

Kritec is a type of skimmer that was first discovered by Akamai in March 2023 and attributed to Magecart, a nebulous hacking cluster that employs online skimming techniques to steal personal data from websites—most commonly, customer details and credit card information on websites that accept online payments.

Read more: Magecart Hackers Hide in 404 Error Pages

However, Malwarebytes has noticed several differences from previous Magecart skimming campaigns. They attributed it to a different threat actor named Kritec after one of the domain names used by the perpetrators.

Kritec is a malicious JavaScript code injected into legitimate websites, typically those using the Magento e-commerce platform. Once injected, Kritec hides itself within the Google Tag Manager (GTM) script, making it difficult for security solutions to detect. When a customer enters their credit card information on the checkout page, Kritec steals the information and sends it to a remote server controlled by the attackers.

“The threat actors were also taking the time to customize their skimmer for each victim site with very convincing templates that were even localized in several languages. The experience was so smooth and seamless that it made it practically impossible for online shoppers to even realize that their credit card information had just been stolen,” Malwarebytes researchers wrote.

The infrastructure is located on the IT WEB LTD network, registered in the British Virgin Islands.

The skimming campaign peaked in April before slowing down over the summer. It then returned, increasing to its highest volume in October.

Source: Malwarebytes
Source: Malwarebytes

What’s hot on Infosecurity Magazine?