Hackers Launch Massive Credit Card Skimming Attack on Magento E-Commerce Sites

In a concerning development for online shoppers and e-commerce businesses alike, cybersecurity experts have uncovered a large-scale credit card skimming campaign targeting Magento-powered websites. This sophisticated attack, which has affected hundreds of online stores, demonstrates the evolving tactics of cybercriminals in their pursuit of sensitive financial information.

The campaign, initially detected by Malwarebytes researchers, involves the injection of malicious code known as digital skimmers into the checkout pages of compromised e-commerce sites. These skimmers are designed to capture customers' credit card details, including card numbers, expiration dates, and CVV codes, as they are entered during the payment process.

What sets this attack apart is its scale and the clever techniques employed by the hackers to evade detection. The malicious code is often disguised to resemble legitimate third-party services, such as Google Analytics or Google Tag Manager, making it challenging for website administrators to identify the threat. In some cases, the attackers have gone a step further by abusing legitimate websites to host their malicious code, effectively hiding behind trusted domains.

The infection process typically begins with the injection of a seemingly innocuous script tag into the targeted website. This script then loads additional malicious code from attacker-controlled servers, often using domain names that mimic popular brands or services. For instance, one of the domains used in this campaign, amazon-analytic[.]com, was registered in February 2024 and has been linked to multiple credit card theft incidents.

Once active on a compromised site, the skimmer code employs sophisticated obfuscation techniques to avoid detection. It may create a fake "Payment Method" frame during the checkout process, tricking customers into entering their payment details directly into the skimmer rather than the legitimate payment gateway. This method has proven effective even on websites using reputable payment providers like Quickpay.

The impact of this campaign is significant. Some of the affected e-commerce sites reportedly handle hundreds of thousands of visitors per month, potentially exposing tens of thousands of shoppers to the risk of having their personal and financial information stolen. The stolen data is typically encrypted and exfiltrated to remote servers controlled by the attackers, where it can be sold on the dark web or used for further fraudulent activities.

Interestingly, the attackers have also employed a novel persistence technique using swap file abuse on compromised Magento websites. This method allows the malware to survive multiple cleanup attempts, as discovered by security researchers at Sucuri. By leveraging the swap file system, which is typically used to prevent data loss during file editing, the attackers can keep their malicious code present on the server even after apparent removal.

The widespread nature of this campaign highlights the ongoing vulnerability of e-commerce platforms to such attacks. Victims have been identified across North America, Latin America, and Europe, ranging from small online stores to larger enterprises. Notable examples include the online store of a popular European beer manufacturer and a Canadian university's e-commerce site.

For consumers, the risk extends beyond financial loss. In addition to credit card details, these skimmers often collect other personal information such as email addresses, home addresses, and phone numbers, which can lead to further identity theft and fraud.

To protect against these threats, cybersecurity experts recommend several measures. For e-commerce businesses, regular security audits, prompt application of security patches, and the implementation of strong authentication systems are crucial. Additionally, Wordfence evasion techniques have been observed, making it essential to disable theme editing and implement robust security measures.

For online shoppers, vigilance is key. Using security software that can detect and block known skimmer infrastructure, such as Malwarebytes' Browser Guard, can provide an additional layer of protection. Consumers should also monitor their credit card statements regularly and report any suspicious activity immediately.

Visit our website to get cybersecurity updates like this, thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: