Multi-platform card skimmer targets Shopify, BigCommerce, Zencart, and Woocommerce stores

Experts warn of a multi-platform credit card skimmer that can target online stores running on Shopify, BigCommerce, Zencart, and Woocommerce.

Security experts have discovered a multi-platform credit card skimmer that can allow threat actors to harvest payment info on compromised stores powered by Shopify, BigCommerce, Zencart, and Woocommerce.

Researchers from security firm Sansec discovered that the new software skimmer is able to interact with the checkout process on shops running on top of multiple online store management systems.

The software skimmer can also target e-stores running on BigCommerce and Shopify platforms even if they do not allow custom Javascript on checkout pages. This skimmer shows a fake payment form that was designed to record customer keystrokes before they enter the actual checkout page. 

“Hosted platforms like BigCommerce and Shopify do not allow custom Javascript on checkout pages. This skimmer evades that by showing a fake payment form and recording customer keystrokes before they enter the actual checkout page.” reads the post published by SanSec. “Once the data is intercepted, the skimmer displays an error message and the customer is redirected to the real payment page:”

Once the customers have provided their credit card data, the skimmer will throw an error and redirects customers to the real payment page to avoid raise suspicion.

This campaign outstands because it targets so many different platforms, hackers may have breached a shared component used by all affected merchants.

Experts pointed out that this multi-platform skimmer uses programmatically generated exfiltration domains.

“It keeps a counter and uses base64 encoding to produce a new domainname.” continues the report. “This will lead to, for example, these exfiltration domains.”

  • zg9tywlubmftzw5ldza.com;
  • zg9tywlubmftzw5ldze.com;
  • zg9tywlubmftzw5ldzu.com:
  • zg9tywlubmftzw5ldzq.com;
  • zg9tywlubmftzw5ldzm.com;
  • zg9tywlubmftzw5ldzy.com;
  • zg9tywlubmftzw5ldzi.com;
  • zg9tywlubmftzw5ldzg.com
  • …………………………………………..

The first exfiltration domains was registered on August 31, 2020.

“To summarize: this campaign shows that platforms are no boundary to the profitable fraud of online skimming,” Sansec concludes. “Wherever customers enter their payment details, they are at risk.”

Sansec researchers have spotted multiple Magecart campaigns using new evasion techniques. In early December they have uncovered a campaign that was hiding the malware in CSS files.

The experts analyzed multiple Magecart attack techniques over the past months, attackers compromised websites by hiding malicious code in multiple components of the sites, including live chat windows, images, and favicons.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Multi-platform card skimmer)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

FBI unlocked the phone of the suspect in the assassination attempt on Donald Trump

The FBI gained access to the password-protected phone of the suspect in the assassination attempt…

2 hours ago

Ransomware groups target Veeam Backup & Replication bug

Multiple ransomware groups were spotted exploiting a vulnerability, tracked as CVE-2023-27532, in Veeam Backup &…

5 hours ago

AT&T paid a $370,000 ransom to prevent stolen data from being leaked

Wired attributes the recently disclosed AT&T data breach to a hacker living in Turkey and…

7 hours ago

HardBit ransomware version 4.0 supports new obfuscation techniques

Cybersecurity researchers detailed a new version of the HardBit ransomware that supports new obfuscation techniques…

16 hours ago

Dark Gate malware campaign uses Samba file shares

A Dark Gate malware campaign from March-April 2024 demonstrates how attackers exploit legitimate tools and…

23 hours ago

Security Affairs Malware Newsletter – Round 2

Security Affairs Malware newsletter includes a collection of the best articles and research on malware…

1 day ago

This website uses cookies.