‘Google’ Sites Are the Latest Ploy by Card-Skimming Thieves

A credit-card skimmer on Magento sites was found loading JavaScript from a legitimate-seeming Google Analytics domain.

Malicious domains masquerading as Google sites are the latest ploy by payment card-skimming adversaries looking to dupe website visitors.

According to analysts at Sucuri, cybercriminals are using typosquatting (the practice of changing one letter in a trusted site name to use as a malicious URL) to deceive unsuspecting, unobservant victims.

The Sucuri team found a website using the Magento e-commerce platform that had been blacklisted and was experiencing “Dangerous Site” warnings. It turned out that the site had been infected with a credit-card skimmer loading JavaScript from a legitimate-seeming Google Analytics domain. Closer inspection of the purported trusted Google site showed the URL to actually be “google-analytîcs[.]com” — not a Google site at all.

Further, once credit-card details are harvested, the data is sent to a remote server. This too uses a fake Google domain: “google[.]ssl[.]lnfo[.]cc.”

“The malicious user purposely selected the domain name with the intention of deceiving [users],” explained Luke Teal, a security analyst at Sucuri, in a Thursday write-up. “Website visitors may see a reputable name (like ‘Google’) in requests and assume that they’re safe to load, without noticing that the domain is not a perfect match and is actually malicious in nature. This tactic is also common in phishing attacks to trick victims into thinking a phishing page is actually legitimate.”

Like other Magento credit-card stealers, the malicious code uses the loaded JavaScript to capture any input data from online e-commerce forms. The skimmer supports dozens of payment gateways, which Teal said indicates plenty of legwork on the part of the attackers; and, it indicates a wide-ranging campaign.

The skimmer does have a twist, however, in the form of checking for developer tools.

“An interesting aspect of the JavaScript code is that it alters its behavior based on whether developer tools are open in Google Chrome or Mozilla Firefox,” Teal explained. “In fact, the malicious JavaScript doesn’t even exfiltrate any of the captured input data to the C2 server if developer tools are open, which it detects using window.devtools.open.”

Credit card skimmers on Magento sites are not a new phenomenon (the Magecart group makes them a specialty), but the campaign shows that the bad actors are constantly evolving their tactics as the infections become more widespread.

Teal pointed out that patching can go a long way to protecting a site from infection. In May for example, Magento patched 37 vulnerabilities, including a host of critical flaws allowing remote code-execution.

“During our analysis of hacked websites in 2018, we found that 83 percent of Magento websites were vulnerable at the point of infection,” he said. “In an effort to obtain sensitive customer data and credit card information from e-commerce websites, attackers continue to leverage vulnerable Magento installations.”

 

Suggested articles

Discussion

  • Lord Fly on

    I believe this should partially fall on the entities selling and managing domain names. Even Google should be looking for these bad domains. But please block using noscript. I would rather see who is attempting to run a script before allowing it temporarily.
  • Lloyd Irving on

    The problem with noscript is the learning curve and a counter to "user convenience". People have a tendency to prefer convenience over anything else and that itself is a problem.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.