Pierluigi Paganini July 27, 2019

Attackers deployed a Magecart credit card skimmer script into fake Google domains used to trick visitors into making online transactions. 

Experts at Sucuri discovered threat actors using fake Google domains hosting a Magento skimmer script used to steal payment data when unaware visitors make transactions.

The campaign was uncovered when the owner of a website discovered that its domain was blacklisted by McAfee’s SiteAdvisor service. Sucuri security research discovered the domain was hosting a JavaScript card skimmer.

“Our investigation revealed that the site had been infected with a credit card skimmer loading JavaScript from the malicious internationalized domain google-analytîcs[.]com (or xn--google-analytcs–xpb[.]com in ASCII),” reads the blog post published by Sucuri.

“The malicious user purposely selected the domain name with the intention of deceiving unsuspecting victims. Website visitors may see a reputable name (like “Google”) in requests and assume that they’re safe to load, without noticing that the domain is not a perfect match and is actually malicious in nature.”

The attackers are using internationalized domain names (IDNs) to remain under the radar and camouflage servers hosting the skimmer script.

Some characters with different ASCII codes appear to be the same, this trick is used by attackers like phishers to “spoof” an URL. This trick allows attackers to redirect victims to malicious domains that appear identical as legitimate ones. Malicious domain could be used to trick victims into providing their personal information or to make payments.

The card skimming script injected in the fake Google domains capture input data using the document.getElementsByTagName and drop down menu data to capture input or stored element names.

Experts pointed out that the skimmer determines the type of browser (Chrome or Firefox web browsers) running it and implements different behaviors.

In the presence of Chrome or Firefox web browsers, the skimmer script will not send captured data to the C2 server to avoid detection.

“An interesting aspect of the JavaScript code is that it alters its behavior based on whether developer tools are open in Google Chrome or Mozilla Firefox” continues the report.

“In fact, the malicious JavaScript doesn’t even exfiltrate any of the captured input data to the C2 server if developer tools are open, which it detects using window.devtools.open.”

Magecart skimmer script used in this campaign supports dozens of payments gateways, a similar discovery was made by Sanguine Security researcher Willem de Groot in April.

Sucuri experts discovered that the skimmer script also uses another spoofed Google domain to deliver upload the captured payment info, the google[.]ssl[.]lnfo[.]cc.

Experts noticed in the Magento’s core_config_data table a malicious code used to store configuration values from the Magento admin interface.

Recently, the Magecart gang made the headlines again, according to a new report published by RiskIQ, it has infected over 17,000 domains by targeting improperly secured Amazon S3 buckets. 

A few days ago, security experts at Sanguine Security have uncovered a new large-scale payment card skimming campaign that already hacked 962 online stores running on the Magento CMS. Security expert Micham spotted another attack attributed to the Magecart gang, hackers injected a skimmer script in the The Guardian via old AWS S3 bucket and exploiting wix-cloud[.]com as a skimmer gate.

According to RiskIQ, since April 2018, Magecart hackers adopted a new tactic that relies on misconfigured Amazon S3 buckets. These buckets allow anyone with an active Amazon Web Services account to read or write them.

Security firms have monitored the activities of a dozen Magecart groups at least since 2015. The gangs use to implant skimming script into compromised online stores in order to steal payment card data on, but they are quite different from each other. 

According to a joint report published by RiskIQ and FlashPoint, some groups are more advanced than others, in particular, the gang tracked as Group 4 appears to be very sophisticated.

The list of victims of Magecart groups is long and includes several major platforms such as British Airways, Newegg, Ticketmaster, MyPillow and Amerisleep, and Feedify. ​​

Pierluigi Paganini

(SecurityAffairs – Magecart, fake Google Domains)

[adrotate banner=”5″]

[adrotate banner=”13″]