Credit card skimming operations may go unnoticed for months while payment information is taken from clients, so threat actors are gearing up for the holidays. Magecart skimming is an attack that includes injecting malicious JavaScript code into a target website and causing it to run while the visitor is on the checkout page.
Payment information such as credit card numbers, holder names, addresses, and CVVs can be stolen and sent to the actor via the code. Threat actors may then use this information to buy products online or sell it to other players on “carding” sites, underground forums, and dark web markets.
Researchers from Akamai uncovered a Magecart attack on SCUF Gaming International, a prominent producer of custom PC and console controllers, in October 2021, which resulted in the compromising of 32,000 people’s financial information.
By digging further, the researchers discovered that the same attacker that attacked SCUF was also running an extensive network of skimmers that collected credit card information from multiple websites. These are:
- whitemountainshoes.com – Shoes and footwear (Alexa rank: 425k)
- truebrands.com – Professional beverage accessories (Alexa rank: 113k)
- goldboutique.com – Jewelry (Alexa rank: 1.4 M)
- schlafstaette.de – Sleep products
- proaudiostar.com – Professional audio equipment (Alexa rank: 150k)
- nafnaf.com – Fashion apparel (Alexa rank: 85k)
- loudmouth.com – Clothing and special apparel (Alexa rank: 1.2 M)
The lower the Alexa rank, the more traffic a website gets, hence the longer the skimmer goes undiscovered, the more credit card information Magecart actors collect. To keep their skimmers concealed on compromised sites, actors limit their script activity to only valuable pages, making Akamai’s analysis more difficult.
“We found that the skimmer’s command and control (C2) server responds with clean code when running on non-sensitive pages…,” clarifies Akamai’s report.
“…and (the skimmer) only sends the malicious code if it runs on checkout pages, where credit card information can be found.”
Magecart players use another anti-detection tactic by creating a new skimmer domain for each targeted website. If their skimming operation is uncovered, they disable that domain and continue their harmful operations on other sites. Because the players employed the same C2 domain for four websites in this example, a tiny cluster was instantly revealed.
Consumers who purchase online should be extremely vigilant around the holidays when Magecart actors ramp up their efforts. E-commerce site owners, not visitors, are responsible for detecting skimmers. Therefore, visitors can do the following:
- Use an up-to-date internet security solution
- Use one-time “virtual” card solutions
- Pay with cash on delivery if possible
- Prefer paying with electronic methods instead of cards
If you purchased anything with one of the seven credit cards listed above this year, consider your payment information compromised and contact your bank to obtain a new card.