Recent findings from cybersecurity researchers have uncovered an ongoing campaign by Magecart hackers that targets unwary online shoppers. The campaign utilizes customized modal elements to hijack checkout pages on compromised e-commerce websites, creating fake payment screens almost indistinguishable from legitimate ones. According to Malwarebytes’ Director of Threat Intelligence, Jérôme Segura, the fake payment screens look even more realistic than the actual payment pages they mimic.
Magecart is a term used to describe a group of cybercriminals who use online skimming techniques to steal personal data from websites, focusing on customer information and payment data. Originally named after a group that targeted the Magento platform, Magecart attacks have been identified since 2010. As of 2022, it was estimated that over 70,000 online stores have been compromised by these groups.
Traditionally, Magecart attacks rely on various types of JavaScript to collect sensitive information from website users. However, the latest version identified by Malwarebytes uses a skimmer called Kritec to intercept the checkout process on a Parisian travel accessory store running on the PrestaShop CMS. Once a credit card payment is selected, Kritec loads a malicious modal that appears to be a legitimate payment dialogue box. The skimmer is sophisticated, heavily obfuscated, and impersonates trusted third-party vendors like Google Tag Manager to evade detection. Online shoppers must remain vigilant and cautious when making online payments, especially on unfamiliar or compromised websites to stay safe.
The skimmer employed in this campaign briefly displays a fake error message about payment cancellation before redirecting the user to the actual payment page. Once the payment is complete, the skimmer drops a cookie to indicate a successful session, preventing the fake modal from appearing again if the user attempts another payment.
The attackers use various domains to host the skimmer, each with similar names to the compromised store’s domain, indicating that the attacks are customized and targeted for each store. With realistic-looking payment screens, the Magecart hackers make it challenging for users to differentiate between legitimate and fake payment pages. Malwarebytes’ Segura recommends exercising caution while making online payments, particularly when using unfamiliar or new e-commerce websites.
This campaign’s discovery follows the recent identification of another Magecart skimmer that collects browser fingerprint data, including IP addresses, User-Agent strings, and payment data. This skimmer is likely intended to track security researchers and bots that attempt to detect malicious code on websites.