Hackers Steal Payment Card Data Using Rogue Iframe Phishing

Cybercriminals have upgraded their credit card skimming scripts to use an iframe-based phishing system designed to phish for credit/debit card info from Magento-powered store customers on checkout.

Magecart groups usually inject JavaScript-based payment data skimmers within the code of the website, with the scripts collecting and exfiltrating payment information in the background and customers never even noticing that it happened.

In this case, as Malwarebytes security researcher Jérôme Segura discovered, the crims injected their credit card stealer scripts within every page of the hacked websites and configured it to pop-up as a phishing form asking the buyers to provide the info themselves.

Skimmer acts as payment service provider via rogue iframe https://t.co/Wc3tJPPK96 pic.twitter.com/wAAoxCcbsS

— Jérôme Segura (@jeromesegura) May 21, 2019

Magecart groups using phishing to steal credit card data is not revolutionary as detailed by RiskIQ's head of threat research Yonathan Klijnsma in a Magecart Group 4 overlay payment phishing system analysis from February, with the crooks replacing the legitimate payment form with their own.

However, the iframe-based skimming discovered by Segura one-ups Magecart Goup 4's devious strategy by displaying a credit card phishing form on the page where customers are redirected to the payment service provider (PSP), a place where online shops would never ask their users for payment info given that the payment process is externalized to the PSP.

If paying enough attention during the checkout process, customers can still detect when hackers want to steal their credit card info using this phishing method since the crooks haven't removed the "Then you will be redirected to PayuCheckout website when you place an order" message which should raise at least a couple of red flags.

As Segura found out, the crooks injected all the pages of hacked Magento websites with this iframe-based credit card phishing script but the phishing form will only be displayed on the store's checkout page.

The hackers first collect the data using the rogue iframe that gets created on the compromised using an obfuscated script loaded from thatispersonal [.]com, a domain registered and hosted in Russia.

Next, the phished credit card gets validated and sent to the crooks' exfiltration server with the help of another obfuscated script via a POST request to the same Russian-hosted domain.

Magecart groups actively diversifying their targets

Hacking outfits known as Magecart groups have been active since around 2015 and they are an ever-evolving threat which can launch attacks against both small retailers like Amerisleep and MyPillow and high profile international companies like Ticketmaster, British Airways, OXO, and Newegg.

Magecart campaigns are as active as ever, with their activity very rarely showing any lows. As testimony to this, security firm Group-IB discovered 2,440 compromised sites during early-April infected with payment data skimmers by Magecart groups.

As Klijnsma said in a report detailing the expansion of Magecart activity to OpenCart and OSCommerce stores, "for every Magecart attack that makes headlines, we detect thousands more that we don’t disclose. A considerable portion of these lesser-known breaches involves third-party payment platforms."

During late-April, Segura also found hundreds of Magento stores injected with GitHub-hosted skimmer scripts, while Magecart groups also infected the online shop of the Atlanta Hawks NBA basketball team as unearthed by Sanguine Security researcher Willem de Groot.

And found the most advanced skimmer to date. From Germany to Brazil: it can sniff over 50 global payment systems. And has polymorphic properties. Quite an amazing feat of engineering. https://t.co/jEB05JKFyA

— Willem de Groot (@gwillem) April 29, 2019

At the beginning of May, another group was behind a polymorphic Magecart skimmer script with built-in support for 57 payment gateways from all around the world which can be integrated within almost any store checkout page, on any online shop, to scrape payment card info without having to customize for each compromised site.

Two days later, on May 3, the checkout pages of hundreds of U.S. and Canadian PrismWeb-powered campus stores were compromised by a Magecart group dubbed Mirrorthief by TrendMicro.

"They’re currently focusing on payment data, but we’re already seeing moves to skim login credentials and other sensitive information. This widens the scope of potential Magecart victims far beyond e-commerce alone," also stated Klijnsma in an in-depth analysis of a large-scale Magecart operation against OpenCart online stores.