A new credit card skimming scheme which involves over 100 websites is actively stealing the financial details of customers, researchers have warned.
According to Netlab 360, credit card information including names, card numbers, expiration dates, and security codes (CVV) have been stolen over the course of five months.
A suspicious domain, magento-analytics[.]com, was flagged by the company back in October 2018. Since then, Netlab 360 has been tracking the domain, of which traffic rates were originally rather low.
The domain, which is not associated with legitimate Magento services or websites, returns a 404 error if you attempt to access it directly from a browser.
However, it was not long before the researchers realized something nefarious was going on.
Magento-analytics[.]com is registered in Panama, but recently shifted to the US, Russia, and then finally China. This prompted the team to check out what the domain's purpose was, and they found a range of JS scripts used to skim financial data.
The scripts themselves are similar and appear to be simple, containing little more than a timer, TrySend functions to fetch credit card information, and a SendData call for reporting the data to the operator's command-and-control (C2) server.
Netlab 360 tracked these scripts and discovered that 105 domains have been injected with these malicious scripts, including six among the Alexa Top one million websites.
Victims appear to be e-commerce and retail websites including those which sell goods such as designer bags, bicycles, baby products, electronics, and wine.
TechRepublic: Today's most innovative enterprise solutions
The campaign is reminiscent of Magecart, a well-known cybercriminal group which has been connected to credit card skimming attacks against high-profile targets including British Airways, TicketMaster, and OXO International.
Last week, Trend Micro said the hacking group had managed to implant credit card stealing malware in 201 online stores linked to 176 colleges and universities in the US, as well as 21 academic institutions in Canada.
Previous and related coverage
- Freedom Mobile data breach impacts thousands of customers
- Wyzant online tutoring platform suffers data breach
- Failed blackmail attempt prompts hackers to leak ocean of data belonging to major companies
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0