Malwarebytes Labs detected a Magecart skimmer that not only acquires the victim’s email, address, phone number, and credit card details but also records their IP address and browser user agent.
Magecart attacks have become an increasingly prevalent threat for businesses that handle financial transactions online. These attacks involve the use of skimmers that are specifically designed to steal sensitive information, such as credit card numbers and other personal data, from unsuspecting victims.
What’s happening?
Security researchers found that hackers are attempting to create a unique profile of the victim (fingerprinting), similar to the technique used in traditional malware campaigns, given that the victim has already provided their home address. However, there’s something unique about this campaign.
- The Magecart skimmer uses iframes that are loaded when the checkout page is accessed. This iframe is only loaded if the browser’s local storage does not include a font item (it is equivalent to using cookies to detect returning visitors).
- The result is a page identical to that of an official payment platform, and the victim is none the wiser.
- The underlying code scrape everything from the customer’s contact and payment forms. (One can safely refer to the small part of the campaign as a data breach.
Let’s dive into the details
The skimming code queries the legitimate Cloudflare endpoint API and extracts two specific pieces of information: the user’s current IP address and browser user-agent.
- It’s important to note that this occurs after the skimmer has already obtained the victim’s credit card data, and not before.
- The researchers anticipate that the threat actors are collecting IP addresses and user-agent strings for quality checks and to monitor for any invalid users, such as bots and security researchers.
- While this behavior may not necessarily be harmful on its own, it does demonstrate the advanced capabilities of modern skimming techniques.
With access to a wide range of personal data and sophisticated monitoring tools, cybercriminals can carry out complex attacks that are difficult to detect and prevent.
The bottom line
Credit card skimmers have long been targeting Magento and WordPress/WooCommerce eCommerce platforms. Therefore, online merchants should be aware of such threats and implement proactive and robust security defenses. Moreover, Malwarebytes Labs has provided IOCs for analysts to follow and take appropriate measures.