A new malware campaign that steals payment information from online shoppers is discovered lurking in dozens of e-commerce sites that use Adobe’s Magento platform, Malwarebytes said on Thursday.
Malwarebytes researchers say they found hundreds of online stores running the Magento e-commerce software compromised by hackers using web skimmers with the same malicious code.
The international cybersecurity solutions firm released its finding in a blog post on Thursday.
We recently detected a new malware campaign targeting a number of online stores running Magento, a popular e-commerce platform.
undefined Malwarebytes (@Malwarebytes) August 22, 2024
Due to the compromises looking similar, we believe the threat actors likely used the same vulnerability to plant their malicious code.
1/🧵
The skimming scam
The first part of the scam involves hackers taking advantage of vulnerabilities found in online store websites, which, in this case, appear to be sites using Magento’s open-source e-commerce software. (Magento was bought by Adobe in 2018, and its name was changed to Adobe Commerce in 2021.)
Once identified, the hackers then inject a snippet of skimmer code into each of the e-commerce stores, often using a automated process to do so.
“When they find a site they can break into, they inject a card skimmer automatically. Their objective is to break into thousands of websites at a time, and the process is automated and can run continuously,” the anti-malware software company states.
Also referred to as digital skimmers, the seemingly harmless line of code is actually a simple script tag loading content from a remote website controlled by hackers, the research explains.
The researchers also noted that the same naming pattern – {domain}.{shop|online)/img/ – was found to be used across multiple sites beached by the hackers.
Once the skimmer code is injected into a site, hackers can scrape a customer’s payment information in real-time – including names, addresses, email addresses, credit card account numbers, expiration dates, and CVV/CVC numbers – as the shopper is physically typing the information into the payment screen.
This can happen even before the shopper has hit the ‘Submit’ button to complete a purchase.
Next, that sensitive payment data gets automatically redirected to the hacker’s command and control servers where it gets stored in a database for criminal use.
The stolen data may be used straightforwardly by the threat actors to commit fraud, or wind up being sold on the dark web to other cybercriminals.
'Criminals piggyback on to legitimate websites'
“Within a few days, we identified over a dozen attacker-controlled websites set up to receive the stolen data,” said Jérôme Segura, Senior Director of Research at Malwarebytes.
Segura said that during the investigation, the team was able to block “over 1.1K unique theft attempts” by adding the site addresses to an antivirus program or browser malware blocker extension.
Malwarebytes said it identified two distinct instances using the skimmers to set up the scam.
First is when the skimmer reads the details as users type them into the sites’ payment forms, as described above.
Second, is when the skimmer code is written so that the sites payment forms are completely replaced with convincing-looking fakes.
Attackers have even been seen adding entire checkout pages to sites that don’t take payments, the researchers said.
When it comes down to it, Malwarebytes explained that every customer making a purchase on an infected website will have their data compromised until the skimmers are discovered and removed.
The compromised storefronts
“Digital skimmers are often impossible to recognize due to how they blend into a website,” said Segura.
“Unless you are inspecting network traffic or debugging the checkout page with Developer Tools, you simply can’t be sure that a store has not been compromised,” they said, underscoring the need for up-to-date anti-malware software or browser extensions installed on a shopper’s devices.
The researchers zeroed in on 15 different website domains infected with the malicious code, including datawiz[.]shop, happywave[.]shop, and salesguru[.]online.
And, although the shops listed in the Malwarebytes research blog post are not household names, there are more than 267,000 online stores powered by the former Magento-turned-Adobe Commerce platform, according to the latest statistics gathered by Creative Trends.
Adobe Commerce handles roughly $155 billion worth of transactions every year, with big name-brand e-commerce sites, such as Nike, Hewlett Packard, Coca-Cola, Ford, T-Mobile, Bulgari, Helly Hansen, and VF Corporation (Vans, Northface), using the platform as well.
The majority of users shopping at Adobe Commerce-powered sites are located in the US, the Creative Trends numbers show. Large concentrations of Adobe Commerce sites were also found across Europe, with the UK and the Netherlands ranking the highest, as well as in India and Australia.
Malwarebytes said it contacted the stores listed in the blog post and alerted Cloudflare, a widely used e-commerce security solutions provider, which has since flagged the malicious scam as phishing.
Your email address will not be published. Required fields are markedmarked