- December 1, 2020
- Posted by: administrator
- Category: Threat News
A newly discovered credit card skimmer uses an innovative technique to inject highly convincing PayPal iframes and hijack the checkout process on compromised online stores.
The attackers’ end goal is to harvest the payment and personal information submitted by the hacked stores’ customers and to send it to remote servers under their control.
Stolen order info used to pre-fill malicious checkout iframes
This new tactic for stealing online shoppers’ payment card information was discovered by Affable Kraut using data from Sansec, a security company focused on fighting digital skimming.
As he discovered when analyzing the web skimmer, the malicious script was hidden inside an image hosted on the compromised store’s own server using steganography.
The skimmer (cleaned and commented version available here) will capture all order form data entered by the victims and will exfiltrate it to the attackers’ servers.
However, this is where similarities with regular skimmer scripts end since the stolen order data is also later used to pre-fill fake PayPal payment forms that will be injected and displayed during the checkout process instead of legitimate forms.
The skimmer will also parse the order info before using it to fill the PayPal forms and “[i]f the data is no good, it actually sends a message back to the page on the victim’s site,” as Kraut found, effectively removing the malicious iframes from the checkout page.
If the parsed data passes the checks, “[t]he __activatePg call takes the passed data and uses it to prefill the fake PayPal form, which is honestly kind of ingenious.”
When the victim will get redirected to the PayPal order page, the fact that it’s already partially filled out will likely raise the odds that it will be convincing enough to successfully capture their payment data.
“It even passes along the items in the cart and the accurate Total, Taxes, and Shipping costs,” as Kraut added.
Once the victim enters their payment information and hits the submit button, the skimmer will exfiltrate all of it to apptegmaker[.]com, a domain registered in October 2020 and connected to tawktalk[.]com (this domain was also used for data exfil by a Magecart group with similarly coded loaders).
After stealing the victims’ payment data, the skimmer will click the order button behind the malicious iframe sending the victim back to the legitimate checkout process.
NOTE:: This article is copyright by bleepingcomputer.com and we are using it for educational or Information purpose only