Security researchers have warned of a major digital skimming campaign that has gone undetected since 2022.
Silent Push said the campaign uses scripts targeting at least six major payment network providers: American Express, Diners Club, Discover, JCB, Mastercard and UnionPay. Given these account for the majority of credit card payments worldwide, most locally issued cards are at risk, it added.
Known generically as “Magecart,” these attacks typically involve malicious JavaScript covertly injected into an e-commerce website or payment portal.
When a victim comes to pay, it will intercept their payment, name, address and shipping details during checkout. The threat actors can then use these details themselves for identity and payment fraud, or sell them on the dark web.
Crucially, because attacks operate client-side, the code runs in the victim’s browser and is therefore virtually invisible to the site owner and end-user victim.
Read more on Magecart: Over 4000 UK Retailers Compromised by Magecart Attacks
Silent Push said it discovered the campaign after analyzing a suspicious domain linked to bulletproof hoster and European-sanctioned entity PQ.Hosting/Stark Industries (aka THE.Hosting/WorkTitans B.V).
Further digging revealed the domain hosted several URLs that loaded highly obfuscated scripts, such as: cdn-cookie[.]com/recorder.js.
“Further analysis of the scripts and related domains revealed a broader picture: a long-term web-skimming campaign with several ongoing infections dating back to approximately 2022,” Silent Push said.
Attacks follow the classic Magecart pattern:
- A threat actor compromises an e-commerce site/payment portal and adds the malicious JavaScript to it
- The code activates when the victim goes to pay
- The skimmer verifies the checkout page as completely loaded
- The skimming code creates a malicious iframe which renders a fake payment form, complete with relevant branding and styling, that replaces the real form
- The victim fills out their details which are then forwarded to the attacker. The fake form disappears and the original is restored
“As the victim entered their credit card details into a fake form instead of the real Stripe payment form, which was initially hidden by the skimmer when they initially filled it out, the payment page will display an error. This makes it appear as if the victim had simply entered their payment details incorrectly,” Silent Push explained.
“Most of the time, online shoppers are unaware that they have just been victimized. Instead, they will assume they made a mistake, then re-enter their credentials, and proceed as usual. The second payment attempt will then be processed successfully as they interact with the original benign payment form.”
How to Stay Safe From Web Skimming Attacks
Silent Push urged vendors to take the following defensive measures, in order to mitigate the threat from Magecart campaigns like this:
- Implement a content security policy (CSP) that will restrict the loading of external resources like JavaScript and reduce the risk of malicious code injection
- Follow PCI DSS requirements to secure storage, processing and transmission of cardholder data
- Regularly update content management systems, plugins and other software to minimize the attack surface
- Enforce strong access controls for admin accounts including strong, unique credentials and multi-factor authentication (MFA) to prevent unauthorized access
- Periodically test websites using the browser’s incognito/private mode or after clearing the browser cache and history. That’s because many web injection-based threats use detection mechanisms to identify administrative users through cookies and deliberately avoid executing malicious code in their presence
The vendor also urged end users to do their bit by only shopping on trusted platforms, using browser/endpoint security solutions that block known malicious domains and scripts, and being alert to checkout anomalies.
They should also regularly review bank/card statements to spot suspect transactions promptly, it added.