A post on Twitter was found discussing a new JavaScript skimmer developed by a Magecart threat group. The new skimmer targets Magento e-commerce websites to steal payment details.

Campaign details

Security researchers from Cyble analyzed a recently disclosed Magecart skimmer.
  • For Magento card skimming, the attacker exploits a vulnerability in the Magento e-commerce sites and injects malicious code into the payment forms and checkout pages.
  • If a user visits the compromised website, the skimmer loads a payment overlay and asks for payment details.
  • Subsequently, the JavaScript code collects and sends the Base64-encoded data to a URL controlled by the attacker.

Technical insights

The malicious JS code is loaded with standard skimmer anti-detection features.
  • The skimmer is obfuscated and embedded in the JavaScript file media/js/js-color.min[.]js.
  • When this Javascript file is executed, it scans if any dev tool (meant for malware analysis) is installed in the browser. Upon detection, the code terminates to avoid analysis.

Conclusion

Cybercrime activities on e-commerce platforms through Magecart groups have been on the rise. For security reasons, Magento e-commerce site owners should deploy the right tools to detect any anomaly on their portal. Meanwhile, users are suggested to use only known and genuine platforms to make purchases.
Cyware Publisher

Publisher

Cyware