Magecart Hackers Use Telegram-Enabled Skimmer Code

The operators of the digital credit-card skimming landscape keep evolving their tactics to avoid detection. In its first public disclosure, a skimmer script has been found to exfiltrate the stolen data using Telegram, the instant messaging platform.

What happened?

Encrypted messaging services are no longer safe from unauthorized access.
  • In late-August 2020, hackers affiliated with the Magecart collective were found targeting several e-commerce sites, injecting them with web skimmer to infiltrate personal and banking information entered by customers during the online checkout process.
  • According to Jérôme Segura, the Threat Intelligence specialist at Malwarebytes, attackers are interested in data, such as name, address, credit card number, expiry, and CVV, being relayed via an instant message sent to a private Telegram channel.

E-commerce card skimming landscape

Cybercriminals have been using skimming code on e-commerce payment card processing web pages to harvest customers' payment card details.
  • In July, a hacking group, known as Keeper, had compromised more than 570 online e-commerce portals using Magecart script to harvest the data entered by shoppers in checkout forms. 
  • In June, an online store using the WordPress WooCommerce plugin was infected with a Magecart script to steal customers' credit cards embedded in its EXIF data.

Tips for defense

Skimming attacks could be very guileful on legitimate communication services where people expect the least. To thwart such threats, including cross-site scripting and data injection attacks, security experts say organizations must ensure content security policy. In July 2020, Cert-In had issued an alert against credit card skimming frauds on e-commerce sites worldwide.