Posted on April 28, 2023 at 4:18 AM
Hackers hijack online stores to display fake payment forms and steal credit cards
Hackers have been infiltrating online stores to display fake payment forms. These payment forms are modern, and they appear realistic. However, they are used to steal credit card information from unsuspecting customers.
Hackers hijack online stores to steal credit cards
The fake payment forms these hackers display are modal HTML content overlaying on top of the main webpage. The payment form lets users interact with login forms or notification content without leaving the page. When these modals are active, the background content will sometimes be unavailable or blurred to attract attention to the modal content.
A recent report by Malwarebytes said that MageCart skimmers were hijacking legitimate payment pages by online stores. These pages were being used to display fake payment forms as modals. The forms were later used to steal credit card information from customers.
The modals used by these malicious actors are unique because they sometimes appear to be better than the original. The modals also lack any distinguishing features that could cause suspicion to the user of them not being authentic.
Sophisticated threat actor
The report by Malwarebytes included the details of some parties that threat actors compromised. One of the cases pertains to a Parisian travel accessory store comprised in a new Kritec campaign.
Kritec is a JavaScript credit card skimmer that Malwarebytes initially detected in Magento Stores in March 2022. The same hacker is also likely behind the recent attack. According to the Malwarebytes report, the skimmer that affected the page was complex, and the code was also hidden using base64 encoding.
After the shopper reaches the checkout page of a store infected with this malware, they will not be shown the actual payment form for the site. Instead, the malicious script will display a modal with the brand’s logo, correct language, and a seamless interface that appears better than the original one.
The fake payment form has also been designed to steal credit card information from customers and send this information back to the hackers. After the buyer has provided their details on the modal, it will display a fake loader momentarily before showing a fake error message. The user will then be redirected to the real payment URL.
However, as the fake pages are loading, the hacker will be in the background stealing all the details that the user has shared. The stolen details include the credit card number, expiration date, CVV number, and the cardholder’s name.
The skimmer will also drop a cookie on the users that the hackers have successfully targeted. The cookie will ensure that the targeted device does not load the malicious modal again on the same site or a different one. This prevents the hacker from collecting duplicate data and lowers the possibility of malicious activity being detected.
The analysts at Malwarebytes have also blocked the credit card skimmer script. This action allows the original payment form to load. Moreover, when comparing the payment sites, the authentic site has a less appealing design and is less user-friendly.
The authentic payment page will redirect a customer to a third-party payment processor. After the customer provides the banking details, they return to the shop’s page and complete the purchase.
The action of redirecting shoppers to an external site is used in online payments. However, a customer might see it as less trustworthy than the modal form on the page. Malwarebytes has also noted that using modal forms is increasingly becoming popular among the Magecart cybercrime community.
It is not the first incidence of websites being targeted to display fake payment sites. The other websites that have also been detected to be issuing fake payment modals on visitors include e-commerce sites in Denmark and Finland. In the two cases, the fake payment modals have an elegant design that makes them appear authentic.
The report also said that there was a likelihood that these campaigns involved multiple threat actors that were customizing skimmers as needed. It noted that the majority of the hacked stores had a generic skimmer, however, custom modals were created recently.
Online shoppers need to remain vigilant and ensure they are on the lookout for these fake payment forms. It is also advisable to use electronic payment methods or have one-time private cards with charge limits, which cannot be exploited by cybercriminals.