Skimmer Acts as Payment Service Provider via Rogue Iframe


Skimmer Acts as Payment Service Provider via Rogue Iframe (May 21, 2019)

One of the approximately 12 financially-motivated groups referred to by the umbrella term “Magecart,” has been found to be using overlay techniques to steal credit card information, according to Malwarebytes Labs researchers. This campaign consists of Magecart, potentially Magecart group 4 because of overlay tactics, injecting a “Magento” ecommerce site an iframe that requests credit card information be entered when a user went to a checkout page to complete a purchase. These fields for credit card data do not exist in the normal checkout page prior to a Magecart injection. The stolen data is exfiltrated via a network request.

Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.