Dutch ecommerce malware and vulnerability detection company Sansec claims they found a new digital credit card skimmer that also has affected hosted online stores on Shopify and BigCommerce. The skimmer code was also found on self-hosted online stores running Zencart and WooCommerce open source systems.
Online skimming attacks are also known as Magecart attacks. In a Magecart attack, personal transaction data is intercepted during the checkout phase of the infected online store and sent to the hacker group that developed the exploit. The personal data could be sold or traded on the darknet or used by the hacker(s) for their own purpose.
Typically digital commerce skimming attacks are more easily found on self-hosted open-source platforms, especially older systems such as the Magento 1 Community Edition that is no longer supported by the original developers and may have old unpatched vulnerabilities.
How Does This Skimming Attack Work?
In this case, the hackers evaded this restriction by displaying a fraudulent payment form and recording the customer keystrokes (credit card and other personal details) before they entered the actual checkout page.
Once the data was intercepted, the skimmer showed an error message and redirected the customer to the real payment page. The use of the PayPal logo in this skimming attack is just a visual distraction to provide “confidence” to the buyer that the form is “real.” The attack does not require the merchant to have a PayPal account or exploits a new PayPal vulnerability.
“It is remarkable that so many different platforms are compromised in the same campaign. Typically, criminals exploit a flaw in a single platform. Attackers may have breached a shared component, eg software or a service that is used by all affected merchants. Another curious technique is that this skimmer uses programmatically generated exfiltration domains. It keeps a counter and uses base64 encoding to produce a new domain name.”Sansec Statement
Skimming Attack Active Since August 2020
Sansec said the skimming attack has been active at least since August 2020. The cybersecurity company also said it involved a dozen stores, but it’s unclear from Sansec’s information how fast this issue is spreading and if other platforms could be vulnerable.
As a precaution, online merchants should follow their own checkout process looking for any problems. This is a good practice to do on a regular basis, but especially after adding, updating, or changing plugins or themes.
For Zencart and WooCommerce, merchants may be able to get help from their hosting company if they support the installations of these open-source platforms. Otherwise, merchants may need to seek out help on user forums run by developers of the commerce systems or hire a third-party developer or cybersecurity specialist.