Hundreds of Online Stores Hacked in Sophisticated Digital Skimming Campaign

Online shoppers are facing a new threat as hundreds of e-commerce websites running on the Magento platform have been compromised in a recent malware campaign. This campaign, uncovered by Malwarebytes, involves the injection of malicious code, known as digital skimmers, into online stores, allowing hackers to steal customers’ credit card information as they enter it during checkout.

Digital skimmers are small snippets of malicious code that hackers inject into online payment pages. Once active, these skimmers can capture sensitive payment information, including credit card numbers, expiration dates, and CVV codes, and send it directly to attacker-controlled servers.

Malwarebytes researcher Jérôme Segura reported, “We recently detected a new malware campaign targeting a number of online stores running Magento, a popular e-commerce platform. Due to the compromises looking similar, we believe the threat actors likely used the same vulnerability to plant their malicious code.”

The campaign appears to be widespread, with Malwarebytes identifying over a dozen websites set up by attackers to collect the stolen data. Within just a few days of detecting the malicious activity, the company’s security products blocked over 1,100 unique theft attempts from their users who happened to shop at one of the compromised stores.

The attack involves injecting a seemingly innocuous line of code into the targeted e-commerce websites. This code, typically a script tag, loads content from a remote server controlled by the attackers. The pattern observed across different compromised websites suggests a coordinated effort, using a similar naming convention: {domain}.{shop|online}/img/.

Once the script is loaded, it executes a function to retrieve additional skimming code from another URL. This secondary code is heavily obfuscated to avoid detection and is designed to blend seamlessly into the checkout process. For instance, during the payment process, a fake “Payment Method” frame is inserted on the page, tricking customers into entering their credit card details into the skimmer rather than the legitimate payment gateway.

Real-World Examples of the Attack

Two examples of this attack were noted by Malwarebytes researchers:

1. European Beer Manufacturer: The online store of a popular European beer manufacturer was found to have the malicious script injected, redirecting payment details to the attackers.

2. Canadian University: A similar compromise was detected on a Canadian university’s online store, where the skimmer code was inserted to capture payment information.

In both cases, the attackers took advantage of externalized payment processes. Even though the stores used a legitimate payment provider like Quickpay, the skimmer code was displayed first, intercepting sensitive information before it reached the legitimate payment processor.

Digital skimmers are notoriously difficult to detect because they are designed to look like legitimate parts of the website’s code. Unless a user is actively monitoring network traffic or debugging the checkout page, they would have no indication that their data is being stolen.

Malwarebytes has already added these malicious sites to its security products, including its antivirus and browser extension, Browser Guard, which can detect and block the skimmer infrastructure. Users visiting a compromised store would receive a warning, although access to the store would not be blocked entirely. The company advises against making purchases from these sites even if the skimmer code is blocked.

“We contacted the stores featured in this blog post, and they have already taken action to either remove the malicious code or temporarily suspend their website,” Segura noted. Additionally, Malwarebytes reported the malicious infrastructure to Cloudflare, which has since flagged it as phishing.

For consumers, the best protection against these types of attacks is vigilance. Monitoring credit card statements regularly and using security software that can detect and block such threats are crucial steps in safeguarding personal information.

While most credit card companies can quickly issue a new card if fraud is detected, the risk extends beyond just financial information. Skimmers often collect other personal details such as email addresses, home addresses, and phone numbers, which can lead to further identity theft and fraud.

For those who suspect they may have been affected, Malwarebytes recommends checking out their Identity Protection services included in their Premium Security offering. This additional layer of security can help protect against the fallout from such breaches and assist in quickly restoring a compromised identity.