skip to Main Content

Cybercrime uses an iframe-based phishing system to steal payment card data

Bleeping Computer: Cybercrime steals payment card data, using rogue iframe phishing. Malwarebytes cyber security expert Jerome Segura: Magecart groups are injecting credit card stealer scripts within every page of the hacked websites and configured it to pop-up as a phishing form

Cybercrime uses new tricks to steal payment card data. According to Bleeping Computer, they have upgraded their credit card skimming scripts to use an iframe-based phishing system, designed to phish for credit/debit card info from Magento-powered store customers on checkout. Magecart groups usually inject JavaScript-based payment data skimmers within the code of the website, with the scripts collecting and exfiltrating payment information in the background and customers never even noticing that it happened. In this case, as Malwarebytes cyber security researcher Jérôme Segura discovered, they injected credit card stealer scripts within every page of the hacked websites and configured it to pop-up as a phishing form asking the buyers to provide the info themselves.

The cyber security expert: cybercrime hackers first collect the data; next the credit cards are validated and sent to an exfiltration server

The iframe-based skimming, discovered by cyber security expert Segura, one-ups Magecart Goup 4’s devious strategy by displaying a credit card phishing form on the page where customers are redirected to the payment service provider (PSP), a place where online shops would never ask their users for payment info given that the payment process is externalized to the PSP. The cybercrime crooks injected all the pages of hacked Magento websites with this iframe-based credit card phishing script, but the phishing form will only be displayed on the store’s checkout page. They first collect the data, using the rogue iframe that gets created on the compromised using an obfuscated script loaded from thatispersonal [.]com. Next, the phished credit card gets validated and sent to the exfiltration server with the help of another obfuscated script via a POST request to the same Russian-hosted domain. 

Magecart campaigns are as active as ever

According to Bleeping Computer, Magecart campaigns are as active as ever, with their activity very rarely showing any lows. As testimony to this, security firm Group-IB discovered 2,440 compromised sites during early-April, infected with payment data skimmers. Furthermore, at the beginning of May, another group was behind a polymorphic skimmer script with built-in support for 57 payment gateways from all around the world which can be integrated within almost any store checkout page, on any online shop, to scrape payment card info without having to customize for each compromised site. Two days later, on May 3, the checkout pages of hundreds of U.S. and Canadian PrismWeb-powered campus stores were compromised by a Magecart group dubbed Mirrorthief by Trend Micro.

Back To Top