Black Lotus Labs cybersecurity experts: It propagates through known CVEs and brute forced as well as stolen SSH keys. It is the evolution Kaiji.
Bleeping Computer: Cybercrime steals payment card data, using rogue iframe phishing. Malwarebytes cyber security expert Jerome Segura: Magecart groups are injecting credit card stealer scripts within every page of the hacked websites and configured it to pop-up as a phishing form
The cyber security expert: cybercrime hackers first collect the data; next the credit cards are validated and sent to an exfiltration server
The iframe-based skimming, discovered by cyber security expert Segura, one-ups Magecart Goup 4’s devious strategy by displaying a credit card phishing form on the page where customers are redirected to the payment service provider (PSP), a place where online shops would never ask their users for payment info given that the payment process is externalized to the PSP. The cybercrime crooks injected all the pages of hacked Magento websites with this iframe-based credit card phishing script, but the phishing form will only be displayed on the store’s checkout page. They first collect the data, using the rogue iframe that gets created on the compromised using an obfuscated script loaded from thatispersonal [.]com. Next, the phished credit card gets validated and sent to the exfiltration server with the help of another obfuscated script via a POST request to the same Russian-hosted domain.
Magecart campaigns are as active as ever
According to Bleeping Computer, Magecart campaigns are as active as ever, with their activity very rarely showing any lows. As testimony to this, security firm Group-IB discovered 2,440 compromised sites during early-April, infected with payment data skimmers. Furthermore, at the beginning of May, another group was behind a polymorphic skimmer script with built-in support for 57 payment gateways from all around the world which can be integrated within almost any store checkout page, on any online shop, to scrape payment card info without having to customize for each compromised site. Two days later, on May 3, the checkout pages of hundreds of U.S. and Canadian PrismWeb-powered campus stores were compromised by a Magecart group dubbed Mirrorthief by Trend Micro.