Hackers target online shoppers in new Adobe e-commerce malware campaign


A new malware campaign that steals payment information from online shoppers is discovered lurking in dozens of e-commerce sites that use Adobe’s Magento platform, Malwarebytes said on Thursday.

Malwarebytes researchers say they found hundreds of online stores running the Magento e-commerce software compromised by hackers using web skimmers with the same malicious code.

The international cybersecurity solutions firm released its finding in a blog post on Thursday.

ADVERTISEMENT

The skimming scam

The first part of the scam involves hackers taking advantage of vulnerabilities found in online store websites, which, in this case, appear to be sites using Magento’s open-source e-commerce software. (Magento was bought by Adobe in 2018, and its name was changed to Adobe Commerce in 2021.)

Once identified, the hackers then inject a snippet of skimmer code into each of the e-commerce stores, often using a automated process to do so.

“When they find a site they can break into, they inject a card skimmer automatically. Their objective is to break into thousands of websites at a time, and the process is automated and can run continuously,” the anti-malware software company states.

Also referred to as digital skimmers, the seemingly harmless line of code is actually a simple script tag loading content from a remote website controlled by hackers, the research explains.

The researchers also noted that the same naming pattern – {domain}.{shop|online)/img/ – was found to be used across multiple sites beached by the hackers.

ADVERTISEMENT
Malwarebytes skimmer scam - beer e-commerce site
Example of code injection for the online store of a popular European beer manufacturer. Image by Malwarebytes.

Once the skimmer code is injected into a site, hackers can scrape a customer’s payment information in real-time – including names, addresses, email addresses, credit card account numbers, expiration dates, and CVV/CVC numbers – as the shopper is physically typing the information into the payment screen.

This can happen even before the shopper has hit the ‘Submit’ button to complete a purchase.

Next, that sensitive payment data gets automatically redirected to the hacker’s command and control servers where it gets stored in a database for criminal use.

The stolen data may be used straightforwardly by the threat actors to commit fraud, or wind up being sold on the dark web to other cybercriminals.

Malwarebytes skimmer scam - java script
Example of compromised Canadian university website shows the hacker's remotely loaded JavaScript, which contains a simple function to retrieve information from the compromised site. The site’s domain name is being passed as a parameter (‘s’) into another URL meant to retrieve the actual full skimmer code, which consists of a huge blob of obfuscated JavaScript. Images by Malwarebytes.

'Criminals piggyback on to legitimate websites'

“Within a few days, we identified over a dozen attacker-controlled websites set up to receive the stolen data,” said Jérôme Segura, Senior Director of Research at Malwarebytes.

Segura said that during the investigation, the team was able to block “over 1.1K unique theft attempts” by adding the site addresses to an antivirus program or browser malware blocker extension.

Malwarebytes said it identified two distinct instances using the skimmers to set up the scam.

ADVERTISEMENT

First is when the skimmer reads the details as users type them into the sites’ payment forms, as described above.

Second, is when the skimmer code is written so that the sites payment forms are completely replaced with convincing-looking fakes.

Attackers have even been seen adding entire checkout pages to sites that don’t take payments, the researchers said.

Malwarebytes skimmer scam - payment sites replaced
During checkout, the payment flow is seamlessly altered such that a fake “Payment Method” frame is inserted within the store’s page. As payment details are entered, the data is transmitted in real-time and stored in a criminal database. image by Malwarebytes.

When it comes down to it, Malwarebytes explained that every customer making a purchase on an infected website will have their data compromised until the skimmers are discovered and removed.

The compromised storefronts

“Digital skimmers are often impossible to recognize due to how they blend into a website,” said Segura.

“Unless you are inspecting network traffic or debugging the checkout page with Developer Tools, you simply can’t be sure that a store has not been compromised,” they said, underscoring the need for up-to-date anti-malware software or browser extensions installed on a shopper’s devices.

The researchers zeroed in on 15 different website domains infected with the malicious code, including datawiz[.]shop, happywave[.]shop, and salesguru[.]online.

And, although the shops listed in the Malwarebytes research blog post are not household names, there are more than 267,000 online stores powered by the former Magento-turned-Adobe Commerce platform, according to the latest statistics gathered by Creative Trends.

ADVERTISEMENT
Malwarebytes skimmer scam - malicious domains
List of websites compromised (L). Anti-malware program identifies the skimmer scam as a suspected phishing attack (R). Images by Malwarebytes.

Adobe Commerce handles roughly $155 billion worth of transactions every year, with big name-brand e-commerce sites, such as Nike, Hewlett Packard, Coca-Cola, Ford, T-Mobile, Bulgari, Helly Hansen, and VF Corporation (Vans, Northface), using the platform as well.

The majority of users shopping at Adobe Commerce-powered sites are located in the US, the Creative Trends numbers show. Large concentrations of Adobe Commerce sites were also found across Europe, with the UK and the Netherlands ranking the highest, as well as in India and Australia.

Malwarebytes said it contacted the stores listed in the blog post and alerted Cloudflare, a widely used e-commerce security solutions provider, which has since flagged the malicious scam as phishing.