Cybersecurity researchers from Malwarebytes have discovered a new credit card information stealing campaign that uses complex, legitimate-looking payment forms that are very hard to spot for the average user.
The researchers spotted multiple online ecommerce stores being breached, and a modal being placed on top of their actual payment forms.
The modals are HTML content overlaid over the top of the main webpage, which allows the user to interact with the login forms and notifications without leaving the site.
Hiding in plain sight
The modals look so good, (in some cases even being “better than the original”) that it’s almost impossible for the average user to discover anything amiss. In one of the campaigns, the researchers said, the modal displayed the site’s brand logo, correct language, and “elegant interface elements”.
Victims who try to buy something from these compromised websites would get a bogus error message which would redirect them to the actual payment URL to try and repeat the payment. That way hackers made sure their modals remained inconspicuous for as long as possible. The hackers would also plant a cookie on the endpoint of the victim, in order to prevent duplicate entries.
When it comes to discovering who the threat actors behind the campaign are, the jury is still out. Malwarebytes’ researchers speculate that it might be MageCart. However, they also said one of the victims was compromised by the Kritec campaign, which is a JavaScript skimmer Malwarebytes first found on Magento stores more thana year ago.
"It is possible multiple threat actors are involved in those campaigns and customizing skimmers accordingly," reads the report. "While many hacked stores had a generic skimmer, it appears the custom modals were developed fairly recently, maybe a month or two ago."
It seems we might have to go back to one-time private cards with charge limits, to prevent our hard-earned money from getting into the wrong hands.
- These are the best firewalls right now
Via: BleepingComputer