Malicious domains masquerading as Google sites are the latest ploy by payment card-skimming adversaries looking to dupe website visitors.
According to analysts at Sucuri, cybercriminals are using typosquatting (the practice of changing one letter in a trusted site name to use as a malicious URL) to deceive unsuspecting, unobservant victims.
Further, once credit-card details are harvested, the data is sent to a remote server. This too uses a fake Google domain: “google[.]ssl[.]lnfo[.]cc.”
“The malicious user purposely selected the domain name with the intention of deceiving [users],” explained Luke Teal, a security analyst at Sucuri, in a Thursday write-up. “Website visitors may see a reputable name (like ‘Google’) in requests and assume that they’re safe to load, without noticing that the domain is not a perfect match and is actually malicious in nature. This tactic is also common in phishing attacks to trick victims into thinking a phishing page is actually legitimate.”
The skimmer does have a twist, however, in the form of checking for developer tools.
Credit card skimmers on Magento sites are not a new phenomenon (the Magecart group makes them a specialty), but the campaign shows that the bad actors are constantly evolving their tactics as the infections become more widespread.
Teal pointed out that patching can go a long way to protecting a site from infection. In May for example, Magento patched 37 vulnerabilities, including a host of critical flaws allowing remote code-execution.
“During our analysis of hacked websites in 2018, we found that 83 percent of Magento websites were vulnerable at the point of infection,” he said. “In an effort to obtain sensitive customer data and credit card information from e-commerce websites, attackers continue to leverage vulnerable Magento installations.”