Researchers from Malwarebytes' Threat Intelligence team found several instances of Heroku-hosted Magecart skimmers. Most of these scripts were observed to be used in campaigns this week.
How did this happen?
The Heroku Freemium model allowed attackers to register for a free account and use it as a web hosting service for free.
“Its goal is to monitor the current page and load a second element (a malicious credit card iframe) when the current browser URL contains the Base64 encoded string Y2hlY2tvdXQ= (checkout),” said Jérôme Segura from Malwarebytes.
After harvesting the required details, an error message will be displayed to the victims asking them to reload the page. In cases like this, it is not easy for an average end-user to spot attacks as there are no obvious symptoms.
What is the situation now?
The scripts were reported to the Salesforce Abuse Operations team that removed all of them immediately.
With Magecart attacks being reported frequently, including one at Sweaty Betty today, both organizations and individuals must exercise caution when dealing with financial information online.