Web-Based Keylogger Used to Steal Credit Card Data from Popular Sites

Researchers estimate thousands of ecommerce sites are under attack by a single threat actor that has infected servers with a web-based keylogger.

Popular ecommerce sites have been infected with web-based keyloggers that are being used to steal credit card data as it’s entered into online checkout forms. More than 100 compromised sites have been identified, but the number could be in the thousands, researchers said.

RiskIQ, in collaboration with ClearSky, published their findings (PDF) Thursday, and said some of the ecommerce sites impacted include Everlast Worldwide, the Australian ecommerce site for apparel giant Guess and Fidelity Investments’ FidelityStore, a site maintained by a third-party firm SwervePoint.

In a statement to Threatpost, Fidelity Investments said the site is not one that “serves our customers or the general public” and is “hosted, managed and operated by a third-party vendor and is separate from Fidelity’s technology infrastructure, including the infrastructure that serves our customers.” It added it wasn’t aware of anyone affected “by this issue.” Everlast Worldwide declined to comment and representatives from SwervePoint and Guess did not reply to requests for comment.

The campaign is tied to a single unidentified hacking group, RiskIQ said, that began its most recent wave of attacks in March. Many of the sites are still actively stealing credit card data, according Darren Spruell, threat researcher at RiskIQ.

RiskIQ warned an undisclosed number of sites impacted by the vulnerability. However, Spruell said, only a tiny fraction acknowledged being notified.

“When someone makes a purchase and enters their credit card data at these sites, that data is stolen and sent back to attackers in real time,” he said.

Researchers say many of the hacked ecommerce websites run the open source Magento ecommerce platform. Earlier this summer, researchers at Sucuri identified an uptick in the use a new variant of a web-based keylogger, also called a credit card stealer, which stole credit card data in real time from the Magento ecommerce platform. However, RiskIQ said hackers behind this most recent wave of attacks are similar but are targeting additional ecommerce platforms such as Powerfront CMS and OpenCart.

Spruell said it isn’t clear what vulnerability attackers are exploiting, but added it could be any number of vulnerabilities within the server stack that would allow malware to be installed.

According to RiskIQ, the attackers place a “simple” script tag on the targeted ecommerce website. A script tag is simply lines of web coding that can trigger additional actions; such as loading malicious JavaScripts or additional scripts hosted on remote servers.

When a checkout form is detected, the script tag injects the keylogger JavaScript from an external domain. Whenever credit card information is entered into a website the data is forwarded to an attacker-controlled domain.

By injecting the JavaScript from a remote domain this allows the attacker to perform any modifications in the malware source code without the need of reinfecting the site, Sucuri said in its report. This attack method also has its advantages in that it ensures that credit card data is new, valid and accounts have funds available, Spruell said.

While web-based keyloggers and credit card stealers aren’t uncommon, RiskIQ believes these types of attacks are on the rise. Since March the threat actors behind this most recent campaign have grown more sophisticated; opting to use bulletproof hosting services and attacking a wider range of ecommerce platforms.

Suggested articles