A threat operator has successfully infected a platform for e-commerce with a customised card skimmer, which was developed to acquire data that has been taken by a Magento credit card stealer deployed by an earlier attacker.

Payment card skimmers, sometimes called Magecart scripts or credit card skimmers, are malicious JavaScript codes that certain cybercriminal gangs, called Magecart groups, insert into hacked and vulnerable e-commerce websites as a key component of e-skimming or web skimming strategies.

The Magecart group’s ultimate aim was to steal the personal and payment details entered by the e-commerce shop’s customers and harvest it on servers that were remote and under their insidious control.

Criminals stealing from other criminals

Security researchers at Malwarebytes have recently uncovered new web skimming activity involving a skimmer using a piggyback scheme. The activity was discovered while the team was looking into a massive torrent of compromised e-commerce sites that had been running Magento 1 installations that were no longer supported.

While the identification of multiple payment card skimmer code on a single online store is not uncommon, the exceptionally specialised format of this attack stood out to the researchers at Malwarebytes.

Head of Threat Intelligence at Malwarebytes, Jérôme Segura, commented:

“The threat actors devised a version of their script that is aware of sites already injected with a Magento 1 skimmer. That second skimmer will simply harvest credit card details from the already existing fake form injected by the previous attackers.”

However, the malicious operator’s attempts to obtain the e-commerce site’s customers’ data didn’t end there. A second skimmer was also deployed to inject more form fields, which effectively mimicked the site’s chosen payment processor.

Anatomy of the two-step Magecart script attack

Impacted e-tailer Costway’s online shops for the UK, Spain, Germany, and France all employed Magento 1 software. All sites were impacted by the attack, as revealed by the Malwarebytes investigation.

The card skimmer launched by the initial cybercriminal that hacked Costway’s online stores injected dedicated data of its own onto the sites’ pages for checkout, stealing form fields.

Then, the second cybercriminal loaded up their customised card skimmers designed to harvest data directly from the skimmer already in position. A second or backup skimmer was also put into position, engineered to activate should the online store identify and clean the first cybercriminal’s malicious code from its site.

Segura commented on this process:

“A large number of Magento 1 sites have been hacked but yet are not necessarily being monetized. Other threat actors that want access will undoubtedly attempt to inject their own malicious code. When that happens, we see criminals trying to access the same resources and sometimes fighting with one another.”

Upon identifying the credit card skimmer infection, Malwarebytes immediately alerted Costway that it had been compromised, so it could take appropriate action.

Online enterprises have an obligation to their customers to report any cyberattacks that result in personal or financial data being stolen. Warned customers can cancel credit cards where necessary and watch their statements for any signs of payments made without their consent.