Another Magento card skimming attack is active in the wild. In this case, the attackers target the websites with codes redirecting to fake Google domains. Hence, tricking users to continue payments mistaking the site as a legit one.
Fake Google Domains For Card Skimming
As revealed in a blog by Sucuri, Magento e-stores now face another cyber threat. This time, the attackers target the Magento e-commerce websites with card skimming attacks using fake google domains.
The attacks are going on in the wild as a dedicated campaign. The problem caught the researcher’s attention after a victimized Magento site owner contacted them to get help with the blacklisted domain. The affected website also experienced ‘Dangerous Site’ warnings with McAfee SiteAdvisor.
The researchers interpreted the use of ‘google’ in the malicious domain as an attempt to trick users.
Website visitors may see a reputable name (like “Google”) in requests and assume that they’re safe to load, without noticing that the domain is not a perfect match and is actually malicious in nature.
Upon execution, the code steals input data from the drop down menu using document.getElementsByTagName.
Smart Devtools Detection
This seems a pretty smart technique to evade any detection scenarios. In the absence of Devtools, the malware exfiltrates users’ information to a remote C&C server. At this point, it again bluffs the users with another fake Google domain “google[.]ssl[.]lnfo[.]cc”.
Earlier this month, Sucuri also spotted a malicious script ‘Magento Killer’ targeting Magento e-stores to steal information.