Fake Google domain used in attacks to deploy skimmer on Magento sites
- The malicious code changes automatically if DevTools are toggled in Google Chrome or Mozilla Firefox.
The website was reported to Sucuri researchers by its owner after it was blacklisted and was marked as a “Dangerous Site” by McAfee SiteAdvisor.
How does it work?
- The code does not send any user input to the C2 server if DevTools is toggled on. If DevTools is off, the input data is sent to the fake Google domain. According to Sucuri researchers, the site visitors are presented with another fake Google domain.
- Furthermore, the card skimmer on the affected sites is believed to work on a dozen payment gateways.
- The malicious site hosting the skimmer code also contains another malicious code that affects the Magento admin interface.
Sucuri researchers believe that Magento-powered sites are the most attractive targets for credit card stealing attacks.
“During our analysis of hacked websites in 2018, we found that 83% of Magento websites were vulnerable at the point of infection. In an effort to obtain sensitive customer data and credit card information from ecommerce websites, attackers continue to leverage vulnerable Magento installations,” said the researchers.
In this case, there are no other known attack instances that used the same fake internationalized Google domain.