A new type of web skimmer is active in the wild targeting numerous platforms like Shopify, WooCommerce, and more. This skimmer runs on platforms that otherwise don’t allow custom JavaScript. Hence, the new skimmer suffices to target those platforms where conventional Magecart or JavaScript skimmers fail.
New Web Skimmer Discovered On Shopify, WooCommerce Stores
Researchers from Sansec have recently shared details about a new online skimmer active in the wild. This web skimmer targets platforms usually considered safe from such attacks, like Shopify and BigCommerce.
In fact, the researchers found the new skimmer already running on dozens of online stores hosted on BigCommerce, Shopify, Zencart, and WooCommerce.
On stores where the platforms don’t allow custom JS, the new skimmer evades the security by displaying a fake payment form to the users visiting the affected websites. Through these forms, the skimmer records the keystrokes to steal customers’ payment data.
Once the victim fills the form, an error message appears redirecting the victim to the real payment page. In this way, the victim gets no idea of the attack, whereas, the malware steals the data.
The new campaign is also different in that the attackers use programmatically-generated domains to store exfiltrated data. As Sansec explained,
It keeps a counter and uses base64 encoding to produce a new domainname.
This will lead to, for example, these exfiltration domains.
The first of these got registered on August 31, 2020.
Regarding how the attackers managed to target multiple platforms together, the researchers state,
It is remarkable that so many different platforms are compromised in the same campaign. Typically, criminals exploit a flaw in a single platform. Attackers may have breached a shared component, e.g., software or a service that is used by all affected merchants.
Thus, the customers who frequently shop online should remain very careful while entering their payment details.