Get started in 5 minutes!

This is how a fake payment page looks like

This is how a fake payment page looks like

A new type of payment skimmer was found on a dozen stores hosted on Shopify, BigCommerce, Zencart and Woocommerce. Hosted platforms like BigCommerce and Shopify do not allow custom Javascript on checkout pages. This skimmer evades that by showing a fake payment form and recording customer keystrokes before they enter the actual checkout page. Once the data is intercepted, the skimmer displays an error message and the customer is redirected to the real payment page:

Sorry, Paypal Checkout failed processing your order. You will be redirected to Shopify Checkout.

It is remarkable that so many different platforms are compromised in the same campaign. Typically, criminals exploit a flaw in a single platform. Attackers may have breached a shared component, eg software or a service that is used by all affected merchants.

Another curious technique is that this skimmer uses programmatically generated exfiltration domains. It keeps a counter and uses base64 encoding to produce a new domainname:

This will lead to, for example, these exfiltration domains. The first one was registered on August 31st.

The raw malware is hidden on the stores like this:

To summarize: this campaign shows that platforms are no boundary to the profitable fraud of online skimming. Wherever customers enter their payment details, they are at risk. Merchants should implement measures to actively counter this.

Read more:

Stay ahead of eCommerce hacks,
protect your store today!

Sansec forensic experts were the first to document large scale digital skimming in 2015. Since then, we have investigated thousands of hacked stores. Our research of the latest attack vectors protects our customers around the world. Our anti-skimming technology and data are used by merchants, forensic investigators, financial anti-fraud teams and service providers

Try our malware scanner