New Kritec Skimming Malware Found Targeting Magento Stores

What’s the matter?

• In the newest campaign, Kritec malware was found leveraging GTM script to target Magento stores. 
• In some cases, researchers also observed that some Magento stores were compromised with two skimming malware, including Kritec. 
• The Kritec skimmer code is heavily obfuscated mostly via obfuscator[.]io which includes the use of the Base64 algorithm to hide its identity.
• Once the malware is executed on the website, the stolen credit card details are sent twice - one via a WebSocket skimmer and the other via a POST request. 

Infection via GTM becomes a security concern

• In January, the Liquor Control Board of Ontario (LCBO), fell victim to a web-skimming attack that enabled the attackers to steal customers’ credit card information at checkout. It was found that the web skimmer was injected into the site as an inline script camouflaged as a legitimate Google Analytics Tag.  
• In September 2022, Recorded Future shared details about three significant variants of malicious skimmers hidden within the GTM containers. These e-skimmers were used to collect the payment card data and personal information of customers shopping on e-commerce sites.
• A threat campaign that infected about 316 online stores and approximately 80,000 users was identified in January 2022. The attackers exploited GTM to secretly drop their skimming codes on owners’ websites.

Final words