Segura further added that “This technique is interesting as most client-side security tools will not be able to detect or block the skimmer.”
The only hacking organization known for launching such an attack is Magecart. The group includes several hacker groups that attack online shopping carts in a process known as formjacking.
The PHP backdoor is disguised as a favicon (“Magento.png”), and the malware is then executed into the affected sites by changing shortcut icon tags on the HTML code to lead to the fake image file. The web shell is then later disguised to steal details from the external host . The credit card skimmer used in this case is similar to another version dubbed ‘Cardbleed’ used in an attack in September 2020. It is believed the hackers changed the attack after users were publicly made aware of the threat.
According to Malwarebytes, the attack is linked to Magecart Group 12 after analysing the methods, techniques, and procedures. The report also added that “the newest domain name we found (zolo[.]pw) happens to be hosted on the same IP address (217.12.204[.]185) as recaptcha-in[.]pw and google-statik[.]pw, domains previously associated with Magecart Group 12.
The group operates with the main intention of extracting and retrieving payment data. The actors have exploited several attack vectors in recent months, enabling them to operate undetected while stealing data.
One of the group’s disguising strategies involves hiding the stealer code for card data on the image metadata and then conducting a series of IDN homograph attacks, which are hidden within the website’s favicon file. The code later exfiltrates the data using Telegram and Google Analytics. Magecart has in recent months enhanced its operating strategy on attacking online stores and stealing data.
The filtration of the data from payment platforms is becoming a critical issue that website users need to be made aware of. However, some attacks are disguised in a manner that even advanced web users cannot uncover.