Magecart Hijacks PayPal Transactions at Checkout Page

What has happened?

• The group injected card-skimming scripts on checkout pages in compromised e-commerce websites to steal customers’ payment card details and other information.
• The attackers hid their malicious code inside an image hosted on the server of the infected online store.
• The attacker then uses the data stolen from genuine pages (items added in the shopping cart, total invoice amount along with taxes and additional charges), and uses it to pre-fill the fake PayPal forms during the victim’s checkout process to make its fake payment form look real.
• Once a victim enters and submits payment info, the exfiltrated data will be sent (via skimmer) to apptegmaker[.]com, a domain registered in October, and associated with tawktalk[.]com.

Bad boys keep coming back to PayPal

• In the last month, attackers were seen targeting the users of popular money transfer apps, including Paypal, Cash App, Zelle, and Venmo, as well as using these apps for other illegitimate purposes.
• A network of 39 scam sites was discovered, targeting victims via a PayPal-UPS scam, exploiting some loopholes, and using PayPal as a gateway for stealing money from their victims.

Conclusion