Sneaky Skimmer Malware Targets Magento Sites Ahead of Black Friday

A stealthy JavaScript injection attack steals data from the checkout page of sites, either by creating a fake credit card form or extracting data directly from payment fields.

A blue credit card on a fish hook being dangled above a computer keyboard
Source: Kim Kuperkova via Shutterstock

Attackers are targeting Magento e-commerce websites with a new card-skimming malware that can dynamically lift payment details from checkout pages of online transactions. The attack, discovered by a researcher from Web security firm Surcuri, comes as online retailers and shoppers are priming for this week's historically busy Black Friday online shopping day.

Sucuri security analyst Weston Henry discovered the attack in the form of a malicious JavaScript injection, which has multiple variants and target sites built on the popular e-commerce platform in two different ways, according to a blog post published on Nov. 26.

One way is by creating a fake credit card form to steal card details, the other is by extracting the data directly from the payment fields. "Its dynamic approach and encryption mechanisms make it challenging to detect," Sucuri security analyst Puja Srivastava explained in the post. The data is then encrypted and exfiltrated to a remote server controlled by the attacker.

Magento-based websites are a frequent target for cybercriminals due to their widespread usage for e-commerce and the valuable customer data they handle, including payment card or bank account details. And card-skimming — typically by a group of cybercriminals collectively known as Magecart — is a popular attack vector to steal such data from these sites.

Related:Microsoft Expands Access to Windows Recall AI Feature

Cyber Victims Targeted During Shopper Checkout

Henry discovered the malicious script during a routine inspection of a Magento-based site with Sucuri's SiteCheck. "The tool identified a resource originating from the blacklisted domain dynamicopenfonts.app," explained Sucuri security analyst Puja Srivastava in the post. Eventually, the resource was found in two locations on the site.  

One of the locations where it was found was within the <referenceContainer> directive of the XML file, which is designed to load a JavaScript resource just before the closing <body> tag.

Attackers obfuscated the contents of the external script to avoid detection, "making it challenging to identify at first glance," Srivastava noted.

Once executed, the script activates only on pages containing the word "checkout" but excluding the word "cart" in the URL, with the aim of extracting sensitive credit card information from specific fields on the checkout page.

After it's completed this malicious task, the malware collects additional user data through Magento’s APIs, including the user's name, address, email, phone number, and other billing information. "This data is retrieved via Magento's customer-data and quote models," Srivastava explained.

Related:Open Source Security Priorities Get a Reshuffle

Magento Malware's Strong Anti-Detection Game

Attackers behind the malware have taken care to use multiple anti-detection techniques to hide their malicious activity, the researchers found. While the malware is collecting the data, it first encodes it as JSON and then XOR-encrypts it with the key "script" to add an extra layer of obfuscation, the researchers found.

The encrypted data also is Base64-encoded before being sent via a beaconing technique to a remote server at staticfonts.com. Beaconing is a method whereby a script or program sends data silently from the client to a remote server without alerting the user or interrupting their activity.

While legitimate applications such as analysis tools also use beaconing, malicious actors favor the technology because it's a stealthy and hard-to-detect way to transmit stolen data, the researchers noted.

How to Secure E-Commerce Sites From Cyberattack

To protect e-commerce sites from stealthy card-skimmers — particularly on busy shopping days like Black Friday, which are a goldmine for cybercriminals — Sucuri recommends administrators conduct regular security audits, monitor unusual activity, and deploy a robust Web application firewall (WAF) to protect sites.

Related:Onapsis Expands Code Security Capabilities to Accelerate and De-Risk SAP BTP Development Projects

They also should ensure that sites are consistently updated with the latest security patches, as "outdated software is a primary target for attackers who exploit vulnerabilities in old plug-ins and themes," Srivastava wrote.

Administrators also should ensure they use strong, unique passwords on e-commerce sites to bolster security and avoid having them easily cracked by attackers. Finally, implementing file integrity monitoring to detect any unauthorized changes to website files also can serve as an early warning system.

About the Author

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights