Credit card skimmer uses an innovative technique to inject highly convincing PayPal iframes and hijack the checkout process on compromised online stores

Continue reading
Recently discovery has been done that credit card skimmer uses an innovative technique to inject highly convincing PayPal iframes and hijack the checkout process on compromised online stores.
Payment card skimmers are JavaScript-based scripts that cybercrime gangs termed as Magecart groups inject within the checkout pages of e-commerce sites after hacking them as part of e-skimming attacks.
The attackers ultimate aim is to harvest the payment and personal information submitted by the hacked stores' customers and send it to remote servers under their control.
Stolen order information beneficial for pre-fill suspicious checkout iframes
This new strategy for stealing online shoppers' payment card information was discovered by Affable Kraut using information from Sansec, a security firm focused on fighting digital skimming.
As he discovered when analyzing the web skimmer, the malicious script was hidden inside an image hosted on the compromised store's own server using steganography.
The skimmer will capture all order form information entered by the victims and will withdraw it to the attackers' servers.
But this is where similarities with regular skimmer scripts end since the stolen order information is also later used to pre-fill false PayPal payment forms that will be injected and displayed during the checkout process instead of legal forms.
When the victim will get be directed to the PayPal order page, it's already partially filled out will likely fulfilled the criteria for successfully capturing their payment information.
If the victim enters their payment details and clicks on the submit button, the skimmer will withdrew all of it to apptegmaker[.]com, a domain registered in October 2020 and connected to tawktalk[.]com.
After stealing the victims' payment information, the skimmer will click the order button behind the malicious iframe sending the victim back to the legitimate checkout process.
Previously, the FBI cautioned both the government agencies and the SMBs (small and medium-sized businesses) of e-skimming threats targeting their process online payments.
The FBI and the Cyber security and Infrastructure Security Agency (CISA) have also shared defence measures that businesses and government agencies can implement to protect themselves and their users from web skimming threats.
However, users have a lot fewer options to protect themselves against Magecart attacks, with browser extensions specially designed to block loading JavaScript code on unreliable websites.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation