Recently, researchers have found Magecart attackers exploiting Salesforce Heroku for hosting Magecart skimmers. The attackers also exploit this service to store pilfered payment card information.
Salesforce Heroku Hosted Magecart
Researchers from Malwarebytes Labs, have found Salesforce Heroku PaaS hosting Magecart skimmers. Not only this, but the attackers also exploited this service for storing stolen data. The researchers have detailed their findings in a blog post.
Heroku is a cloud-based platform-as-a-service (Paas) from Salesforce which provides web app hosting facilities to various businesses. It offers a freemium model to facilitate new users to test their hosting services. That is what the attackers exploited.
According to the researchers, the threat actors created free accounts with the service to host their skimmers. This also helped them target websites with a single line of code which executes further steps.
Its goal is to monitor the current page and load a second element (a malicious credit card iframe) when the current browser URL contains the Base64 encoded string Y2hlY2tvdXQ= (checkout).
The iframe overlays the site’s payment form to steal users’ data. Once a user enters the details into the malicious iframe, the data exfiltrates to the attacker and the page reloads, requiring the user to re-enter the information.
Numerous Skimmers Found On Heroku
The researchers also noticed numerous other skimmers. All of these used a similar naming convention and appeared active.
The researchers also elaborated that the attackers always find cloud-based services lucrative. They may specifically use these platforms to evade detection as the services host numerous legit users as well.
Recently, numerous incidents involving Magecart skimmers have surfaced online. The attackers targeted various e-stores to steal users’ personal and payment card details in bulk.
Let us know your thoughts in the comments.