Fresh Card Skimmer Found On Shopify, Zencart, BigCommerce, and Woocommerce Stores

Top Software Testing Services

Fresh Card Skimmer Found On Shopify, Zencart, BigCommerce, and Woocommerce Stores

Security experts have discovered a payment card skimmer that bad actors could use to steal the payment credentials by using a duplicate fake payment form with a key logger and showing an error message on receiving the credentials on Shopify, BigCommerce, Zencart, and Woocommerce powered stores.

Till this time, the new card skimmer software has been discovered on a number of stores’ checkout process of shops supported by online store management systems hosted on platforms like Shopify, BigCommerce, Zencart, and Woocommerce, say researchers from the Sensec security firm.

A cybercriminal organization also termed as the “Magecart” by several researchers could be behind the establishment of such Javascript skimmers or payment card skimmers. Several separate groups or gangs that use common tools and techniques to target e-commerce and its checkout pages to harvest payment credentials or other credit card details are considered to be togetherly termed as the Magecart. As yet, no specific Magecart group has been named or mentioned by the Sensec, but they believe that the attacker’s group behind the skimmer has made it unique and unusual as it is capable of targeting more than one online store management systems all together unlike others that targets individually.

According to the Sensec report, it hasn’t made any clarifications about how the attackers/hackers were able to exploit the online store management systems, either by using an unknown vulnerability or by operating a malware remotely. However, one clear thing was platforms like Shopify and BigCommerce don’t allow custom JavaScript’s on their supported e-commerce checkout pages, forms, or pop-ups. This is taken care of by attackers (after the skimmer is planted) via displaying a duplicate fake payment form or payment page which records the keystrokes made by the user or customer, then displaying an error message which then redirects the customer to the actual payment page (the checkout page), staying unaware that the card credentials have already been stored by the skimmer. Attackers/hackers must have targeted a component shared by all affected merchants to target a wide range of platforms making the breach exceptional and unique.

Another interesting fact discovered by the Sensec researchers was that the skimmer was automated to create domains to store the stolen credentials in an encrypted form using the Base64 encoding, which will be further extracted by the attackers from the domain. It also uses the Base64 encoding to create new domain names. So the domain created by the automated skimmer could be like zg9tywlubmftzw5ldza.com, zg9tywlubmftzw5ldzu.com, zg9tywlubmftzw5ldze.com, zg9tywlubmftzw5ldzm.com, and so on. And one of these types of domain was found to be first registered on 31 August 2020.

Sensec states that “To summarize: this campaign shows that platforms are no boundary to the profitable fraud of online skimming, wherever customers enter their payment details, they are at risk”. Security researchers explained that the attackers who use such malicious skimmers have found new methods to hide the skimmers inside the e-commerce checkout sites within the past months. An example of this new method is discovering a Magecart campaign that hid their malware in CSS files at the beginning of December. Attackers are capable of hiding the malware or skimmer in unexpected elements of the website like images, live chat windows, icons, etc.

If you like this article, follow us on Twitter, Facebook, Instagram, and Linkedin.

 

Leave a Reply

Your email address will not be published. Required fields are marked *