Magento Web Skimmers Piggyback in Ongoing Costway Website Compromise

piggybacking web skimmer e-commerce

An e-commerce credit-card skimmer is being used by a second skimmer to steal payment data – and both are on Costway’s website.

Two web skimmers have been discovered on the payment webpages of Costway, one of the top retailers in North America and Europe, which sells appliances, furniture and more. The skimmers are targeting consumers’ credit-card payment details.

In a twist, researchers say one of these web skimmers is piggybacking on top of the other, to take over the fake forms that had previously been injected onto Costway’s site. The tactic gives the cybercriminals behind the piggybacking skimmer an easy way to harvest credit-card details – without doing the heavy lifting, said researchers.

The website under attack runs on the no-longer-maintained Magento 1 e-commerce software branch. Magento is an e-commerce platform for online merchants that’s built on open-source technology. Support for Magento 1 ended last June, with the thousands of retailers worldwide operating on the platform being urged to update to the more mobile-friendly Magento 2 iteration.

“A large number of Magento 1 sites have been hacked but yet are not necessarily being monetized,” said researchers with Malwarebytes on Tuesday. “Other threat actors that want access will undoubtedly attempt to inject their own malicious code. When that happens, we see criminals trying to access the same resources and sometimes fighting with one another.”

Researchers first discovered a skimmer that had injected a fake payment form directly onto the checkout page for costway[.]fr, the merchant’s French website. The payment form was harvesting visitors’ payment-card details as they input them.

“Our crawlers identified that the websites for Costway France, U.K., Germany and Spain, which run the Magento 1 software, had been compromised around the same time frame,” said researchers.

skimmer costway

Costway site already hacked with Magento 1 skimmer. Credit: Malwarebytes

The potential threat to victims here is massive, with Costway’s French portal (costway[.]fr) attracting about 180K visitors just in December, said researchers.

Upon further investigation, researchers were surprised to discover another skimmer present on the site. This skimmer was loaded externally from securityxx[.]top.

Researchers believe that the second skimmer may not have had the same foothold or access to the webpage as the first skimmer. In this scenario it would make sense for attackers to simply inject code on top of the first skimmer and grab credentials from the first skimmer’s fake form. 

“It’s possible that the threat actors’ level of access to e-commerce sites differs,” they explained. “The former exploit a core vulnerability that grants them root access, while perhaps the latter can only perform specific types of injections. If that is the case, this would explain why they simply leave the fake form alone and grab credentials from it.”

An Ongoing Attack

Researchers said that cybercriminals also continue to actively re-inject Costway’s website, even after they notified the retailer of the compromise.

“We informed Costway during our investigation but also witnessed their site getting re-infected,” said researchers. “The costway[.]top domain was discarded in favor of securityxx[.]top where threat actors customized the skimmer specifically for them.”

It’s unclear if this particular attack is the work of Magecart — a conglomeration of threat groups that specialize in compromising vulnerable e-commerce stores to inject payment-card skimmers. But researchers have reported that they have seen an uptick in the number of e-commerce sites that are being attacked by Magecart and related groups that utilize web skimming. In September for instance, one of the largest known Magecart campaigns to date occurred, with nearly 2,000 e-commerce sites hacked in an automated campaign that may be linked to a zero-day exploit.

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!

Suggested articles