Another Magento card skimming attack is active in the wild. In this case, the attackers target the websites with codes redirecting to fake Google domains. Hence, tricking users to continue payments mistaking the site as a legit one.
Fake Google Domains For Card Skimming
As revealed in a blog by Sucuri, Magento e-stores now face another cyber threat. This time, the attackers target the Magento e-commerce websites with card skimming attacks using fake google domains.
The attacks are going on in the wild as a dedicated campaign. The problem caught the researcher’s attention after a victimized Magento site owner contacted them to get help with the blacklisted domain. The affected website also experienced ‘Dangerous Site’ warnings with McAfee SiteAdvisor.
Investigations with the website revealed the presence of malicious JavaScript code. As stated in the blog post,
the site had been infected with a credit card skimmer loading JavaScript from the malicious internationalized domain google-analytîcs[.]com (or xn--google-analytcs-xpb[.]com in ASCII).
The researchers interpreted the use of ‘google’ in the malicious domain as an attempt to trick users.
Website visitors may see a reputable name (like “Google”) in requests and assume that they’re safe to load, without noticing that the domain is not a perfect match and is actually malicious in nature.
Upon execution, the code steals input data from the drop down menu using document.getElementsByTagName.
Smart Devtools Detection
While initial analysis of the malicious JavaScript code used in these attacks makes the code look no different from a usual Magento card skimming attack, this one differs from others in the sense that it has a smart detection feature for DevTools. When DevTools are open in Google Chrome or Mozilla Firefox, the code simply stops data exfiltration.
In fact, the malicious JavaScript doesn’t even exfiltrate any of the captured input data to the C2 server if developer tools are open, which it detects using window.devtools.open.
This seems a pretty smart technique to evade any detection scenarios. In the absence of Devtools, the malware exfiltrates users’ information to a remote C&C server. At this point, it again bluffs the users with another fake Google domain “google[.]ssl[.]lnfo[.]cc”.
Earlier this month, Sucuri also spotted a malicious script ‘Magento Killer’ targeting Magento e-stores to steal information.