According to a new report by Malwarebytes, MageCart skimmers are upping their game when hijacking legitimate online stores’ payment pages, and displaying a high quality customized web element known as a modal to act as the checkout page to steal customers’ credit card information. Some of the fake forms are better than the authentic pages.
The hackers’ payment modal forms are well designed and offer relevant details of the retailer. They are often more realistic than the original site, and better yet, it’s not a third-party check-out which consumers are more distrusting of.
From the user’s perspective, once their details are entered on the modal, it displays a bogus loader, then a fake error which redirects the buyer to the real payment URL. At this point the data is compromised and, lastly, to avoid exposing the operation, the skimmer drops a cookie to prevent reloading of the malicious modal. Over the past couple months Malwarebytes observed that the trend of using these stealthy, custom modal forms is on the rise.
Roy Akerman, Co-Founder & CEO, Rezonate had this comment:
“This technique is more than a decade old. Poor security controls and overall hygiene of websites have been a constant challenge. Protocols such as 3D-Secure 2.0 and Mastercard Securecode are 2 examples for ways to avoid any tampering during the purchase stage, regardless of whether the website was breached, or any MITM (man-in-the-middle) attempts from a compromised endpoints able to hijack a session and steal information.
“Assuming the look and feel is flawless, and you had a reason to go into that site, and did not receive a phishing email/smishing SMS as a trigger point, you could also try first to fake your credit info as a first step and see if you hit an alert/or are able to passthrough.“
This is making it very, very difficult to know if a site has been compromised by a threat actor. Mr. Akerman’s advice is good, but I have to wonder how long before threat actors take that into consideration and make it impossible to spot a compromised site.
UPDATE: Baber Amin, COO, Veridium added this comment:
“Magecart or online skimming is the compromise of online shopping carts and checkout process. Bad actors can inject malware into ill maintained ecommerce sites.
“Additionally, all the security offered by EMV and contactless cards is nullified, when the user voluntarily enters the CC information at checkout. Not only that, but they also enter information that can be used for Identity Theft, e.g. email address, shipping address, possibly a username and a password, etc.
- It is important for website administrators to stay up-to-date with their content management system’s patches and plugins.
- Buying from reputable online vendors is the best option for end users
- If possible, use virtual cards online
- Use unique usernames and passwords on each site if you must create an account
- If they offer PayPal during checkout, use it, as it creates an indirect level of payment
- A better solution is to use services like Apple Pay and Google Pay, which replace sensitive information with arbitrary tokens (Tokenization). These services provide a more secure and convenient experience, as they use tokenization to protect sensitive information. Since these tokens disappear after each authorization, they cannot be reused if stolen. The other advantage of these services is that they work both in person and for online shopping. EMV or chip cards are reduced to the security of the older non chip card when paying online, as there is no chip reader available”
Related
This entry was posted on May 1, 2023 at 4:49 pm and is filed under Commentary with tags Malwarebytes. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Magecart Skimmers getting better at Stealing Credit Card Details
According to a new report by Malwarebytes, MageCart skimmers are upping their game when hijacking legitimate online stores’ payment pages, and displaying a high quality customized web element known as a modal to act as the checkout page to steal customers’ credit card information. Some of the fake forms are better than the authentic pages.
The hackers’ payment modal forms are well designed and offer relevant details of the retailer. They are often more realistic than the original site, and better yet, it’s not a third-party check-out which consumers are more distrusting of.
From the user’s perspective, once their details are entered on the modal, it displays a bogus loader, then a fake error which redirects the buyer to the real payment URL. At this point the data is compromised and, lastly, to avoid exposing the operation, the skimmer drops a cookie to prevent reloading of the malicious modal. Over the past couple months Malwarebytes observed that the trend of using these stealthy, custom modal forms is on the rise.
Roy Akerman, Co-Founder & CEO, Rezonate had this comment:
“This technique is more than a decade old. Poor security controls and overall hygiene of websites have been a constant challenge. Protocols such as 3D-Secure 2.0 and Mastercard Securecode are 2 examples for ways to avoid any tampering during the purchase stage, regardless of whether the website was breached, or any MITM (man-in-the-middle) attempts from a compromised endpoints able to hijack a session and steal information.
“Assuming the look and feel is flawless, and you had a reason to go into that site, and did not receive a phishing email/smishing SMS as a trigger point, you could also try first to fake your credit info as a first step and see if you hit an alert/or are able to passthrough.“
This is making it very, very difficult to know if a site has been compromised by a threat actor. Mr. Akerman’s advice is good, but I have to wonder how long before threat actors take that into consideration and make it impossible to spot a compromised site.
UPDATE: Baber Amin, COO, Veridium added this comment:
“Magecart or online skimming is the compromise of online shopping carts and checkout process. Bad actors can inject malware into ill maintained ecommerce sites.
“Additionally, all the security offered by EMV and contactless cards is nullified, when the user voluntarily enters the CC information at checkout. Not only that, but they also enter information that can be used for Identity Theft, e.g. email address, shipping address, possibly a username and a password, etc.
Share this:
Like this:
Related
This entry was posted on May 1, 2023 at 4:49 pm and is filed under Commentary with tags Malwarebytes. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.