During a recent cyber attack on a large number of online stores that use the Magento platform, customer payment card data was stolen by Skimmer. The stolen data included card numbers, validity periods, and CVV/CVC codes. Specialists at Malwarebytes provided detailed information on how the hackers managed to steal this information. According to Malwarebytes, hundreds of online stores were affected by the attack.
The attackers exploited a vulnerability in the Magento system to insert malicious code onto the payment page. This code, a simple line of script, loaded content from a remote site. The hackers created multiple websites to collect the stolen data. Analysis revealed that at least several hundred online stores were compromised in this attack.
When a buyer entered their payment card information on the affected stores’ payment page, the Skimmer intercepted the data and sent it to the attackers’ server. In some cases, stores used third-party payment processors, but the Skimmer intercepted the data before it could be processed by the legitimate company.
Specialists were able to block more than 1,100 attempts to steal data by identifying and adding dozens of malicious domains used by the hackers. Digital skimmers are difficult to detect as they blend into legitimate payment pages without raising suspicion among users. Monitoring network traffic or using developer tools to analyze pages can help detect such threats.
The affected stores have either removed the malicious code or temporarily suspended their operations. However, some compromised sites are still vulnerable to attack. It is crucial to note that data theft using Skimmers could expose not only financial information but also personal data like email addresses, home addresses, and phone numbers. Users who suspect data leakage are advised to contact their bank to request a new card and consider using identity protection programs.
In July, Sucuri experts identified a new method of data theft on the Magento platform. Attackers used SWAP files to introduce persistent spyware that steals credit card data. This implementation method enhances the code’s ability to survive attempts at removal, allowing it to persist in the infected system despite deletion attempts.