Just in time for a busy online holiday shopping season, the Magecart gang has come up with a new credit-card skimming technique for hijacking PayPal transactions during checkout.
A security researcher who identifies himself as Affable Kraut discovered the technique, which uses postMessage to inject convincing PayPal iframes into the checkout process of an online purchase, “the first skimmer to deploy such a method,” he said on Twitter. BleepingComputer first reported his research.
Magecart is an umbrella term encompassing several different threat groups who all use the same attack method: They compromise e-commerce websites to inject card-skimming scripts on checkout pages, stealing unsuspecting customers’ payment card details and other information entered into the fields on the page. The info is then sent back to a server under the attackers’ control.
Affable Kraut used data from Sansec, a security firm aimed at combatting digital skimming, to peer under the hood of the new card-skimming technique. While most methods that try to emulate PayPal pages to trick users into entering details even when the process is being hijacked don’t look very authentic, the one he observed “goes through a lot of work to try and be as convincing as possible,” Kraut tweeted.
One of the key factors lending to this appearance is its use of a script called window.postMessage, which enables cross-origin communication between a Web page and a pop-up that it spawned, or between a page and an iframe embedded within it.
Thanks to data from @sansecio I stumbled upon a digital skimming / #magecart technique for injecting convincing PayPal iframes into the checkout process. It does this using postMessage, and I think this is the first skimmer to deploy such a method.
— Affable Kraut (@AffableKraut) November 30, 2020
Typically, scripts on different pages can only access each other if and only if the pages they original from share the same protocol, port number and host. PostMessage can circumvent this restriction, and the attackers use it to their advantage to transmit the stolen payment info in a way that looks authentic to the user, the researcher said.
The attack hides malicious code inside an image hosted on the server of the compromised online store using a steganography method that Affable Kraut said his colleague first discovered last year.
While at first the code seems similar to many other skimmers in that it grabs data the shopper has inputted in the form and exfiltrates it, it then does something very differently than other skimmers, he said. It uses the exfiltrated data to improve its fake payment form, the researcher said.
The attack does this by pre-filling fake PayPal forms to be displayed during a victim’s checkout process instead of the legitimate one, which boosts the likelihood the person shopping will fall victim to the malicious action.
“When the victim sees this page, it is now partially filled out, which definitely increases the odds that it will capture their full payment data,” Affable Kraut tweeted.
The skimmer even parses info before filling in PayPal forms and, if the data is not good, it actually sends a message back to the page on the victim’s site, removing the malicious iframes from the checkout page.
However, if the data passes the parsing process, the attack uses an __activatePg call to prefill the form in the malicious transaction. It will even pass along the items in the cart and the accurate transaction total, taxes and shipping costs, which lend even more plausibility to the attack, Affable Kraut said.
Once the victim enters and submits payment info, the skimmer exfiltrates the data to apptegmaker[.]com, a domain registered in October 2020 and connected to tawktalk[.]com. The latter was seen used in previous Magecart group attacks. The skimmer then clicks the order button behind the malicious iframe and sends the victim back to the legitimate checkout page to complete the transaction.
The Christmas holiday shopping season of the month kicked off this past weekend and is likely to be largely an online affair that will keep attackers like Magecart and affiliated groups that are focused on stealing payment credentials busy. Attackers already had been seen shifting tactics and victims as well as ramping up e-commerce attacks in the last months.
In September, Magecart mounted one of its largest campaigns to date with nearly 2,000 e-commerce sites hacked in an automated campaign that may be linked to a zero-day exploit. The attacks impacted tens of thousands of customers who had their credit-card and other information stolen. The group also that month was seen using encrypted messaging service Telegram as a channel for sending stolen credit-card information back to its command-and-control (C2) servers.
Then in October, a Magecart spinoff group called Fullz House group targeted an unlikely victim in Boom! Mobile’s, targeting the wireless service reseller’s website with an e-commerce attack.
Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back.
Get the latest from world-class security experts on new kinds of attacks, the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.