Fake payment page before checkout on Shopify and BigCommerce
by Sansec Forensics Team
Published in Threat Research − December 24, 2020
A garanteed safe checkout with paypal, etc, on Shopify]
Once the data is intercepted and exfiltrated, the attackers display an error message and the customer is redirected to the real payment page. Customers probably just enter their details again and it takes several days/weeks before they notice they’ve been charged twice.
A rare attack on multiple ecommerce platforms
It is remarkable that so many different platforms are compromised in the same campaign. Typically, criminals exploit a flaw in a single platform. Attackers may have breached a shared component, a piece of software or a service that is used by all affected merchants over the different ecommerce platforms.
Another curious technique is that this skimmer uses programmatically generated exfiltration domains. It keeps a counter and uses base64 encoding to produce a new domainname:
This will lead to, for example, these exfiltration domains. The first one was registered on August 31st.
Here is an example of how the raw malware is hidden in the ecommerce websites:
SaaS ecommerce platforms and security
This campaign shows that platforms are no boundary to the profitable fraud of web skimming or formjacking. Wherever customers enter their payment details, they are at risk. Merchants should implement measures to actively counter this.
Please contact Sansec if you think an attacker has added a fake payment form to your ecommerce website.
In this article
What is Magecart?
Also known as digital skimming, this crime has surged since 2015. Criminals steal card data during online shopping. Who are behind these notorious hacks, how does it work, and how have Magecart attacks evolved over time?About Magecart