When you shop online and enter your payment information, you risk becoming a victim of fraud. Digital skimmers are pieces of code injected into online stores that can steal your credit card number, expiration date, and CVV/CVC as you type it.

We recently discovered a new malware campaign targeting a number of online stores using Magento, a popular e-commerce platform. Due to the similarity of the compromises, we believe that the threat actors likely used the same vulnerability to plant their malicious code.

Within a few days, we identified over a dozen attacker-controlled websites that had been set up to receive the stolen data. After adding those malicious sites to our security products, we were able to protect over 1.1K unique theft attempts from Malwarebytes users who happened to shop at one of the few hundred compromised stores.

Technical details

Each online store is injected with a single seemingly innocuous line of code, a simple script tag that loads content from an external website. Interestingly, we saw the same naming pattern on several hacked websites:

{domain}.{shop|online)/img/

Below you can see an example of such an injection for the webshop of a popular European beer producer:

Here is another example from a Canadian university, which was also compromised in a similar way. In the image we can see the contents of the remotely loaded JavaScript:

This loader contains a simple function that retrieves information from the site it is called from. For example, the domain name of the website is passed as a parameter (‘s’) in another URL that is intended to retrieve the actual full skimmer code, which consists of a huge blob of obfuscated JavaScript:

During checkout, the payment flow is seamlessly changed to insert a fake “Payment Method” frame on the store’s page. What’s interesting to note is that this particular store has externalized their payment process to a company called Quickpay. However, the skimmer code takes precedence as it is shown to victims first.

When you enter your credit card number, expiration date, and CVC code on the page, this data is transmitted in real time and stored in a criminal’s database.

Mitigating measures

Digital skimmers are often undetectable by the way they blend into a website. Unless you inspect network traffic or debug the checkout page with Developer Tools, you simply cannot be certain that a store has not been compromised.

The critical moment is when you have to enter your credit card number. This is when malicious code gets a chance to grab that information directly from your browser.

In just a few days, our telemetry recorded 1,121 unique blocks from Malwarebytes users visiting a compromised store. The chart below shows those blocks by malicious skimmer domain:

Malwarebytes antivirus and the browser extension (Browser Guard) are both capable of detecting and blocking the malicious infrastructure that criminals are using in this campaign. If you were to visit a compromised store, you would see a warning like the one below. Access to the store is not blocked, and while in theory you should be able to shop safely (the skimmer code didn’t get a chance to load), we still recommend not making any purchases.

We have reached out to the stores mentioned in this blog post and they have already taken action to remove the malicious code or temporarily suspend their website. We have not individually reached out to each other compromised store, but we have reported the malicious infrastructure to Cloudflare, who has already taken action to flag it as phishing.

Most credit card companies can quickly reissue a new card after it’s been stolen. However, we’ve seen skimmers that often collect more than just your financial information, but also your email address, home address, and phone number, information that’s typically required when buying something online.

If you suspect you recently made a purchase that your credit card company warned you about, check out our Identity Protection included with Malwarebytes Premium Security.

Indicators of compromise

Malicious domains used by the skimmer:

codcraft(.)shop
codemingle(.)shop
datawiz(.)shop
deslgnpro(.)shop
happywave(.)shop
luckipath(.)shop
pixelsmith(.)shop
salesguru(.)online
statlstic(.)shop
statmaster(.)shop
trendset(.)website
vodog(.)shop
artvislon(.)shop
statistall(.)com
analytlx(.)shop