Fake Google Domains Used To Target Magento Websites For Credit Card Skimming

Another Magento card skimming attack is active within the wild. during this case, the attackers target the websites with codes redirecting to pretend Google domains. Hence, tricking users to continue payments misinterpretation the positioning as a legit one.

Fake Google Domains For Card Skimming

As unconcealed during a weblog by Sucuri, Magento e-stores currently face another cyber threat. This time, the attackers target the Magento e-commerce websites with card skimming attacks mistreatment pretend google domains.

The attacks area unit occurring within the wild as a passionate campaign. the matter caught the researcher’s attention once a put-upon Magento website owner contacted them to induce facilitate with the blacklisted domain. The affected web site conjointly seasoned ‘Dangerous Site’ warnings with McAfee SiteAdvisor.

Investigations with the web site unconcealed the presence of malicious JavaScript code. As expressed within the weblog post,

the site had been infected with a mastercard skimmer loading JavaScript from the malicious internationalized domain google-analytîcs[.]com (or xn--google-analytcs-xpb[.]com in ASCII).

The researchers have taken the utilization of ‘google’ within the malicious domain as a trial to trick users.

Website guests might even see a respectable name (like “Google”) in requests and assume that they’re safe to load, while not noticing that the domain isn’t an ideal match and is really malicious in nature.

Upon execution, the code steals computer file from the sink menu mistreatment document.getElementsByTagName.

Smart Devtools Detection

While initial analysis of the malicious JavaScript code utilized in these attacks makes the code look no totally different from a usual Magento card skimming attack, this one differs from others within the sense that it’s a wise detection feature for DevTools. once DevTools area unit opens in Google Chrome or Mozilla Firefox, the code merely stops information exfiltration.

In fact, the malicious JavaScript doesn’t even exfiltrate any of the captured computer file to the C2 server if developer tools area unit open, that it detects mistreatment window.devtools.open.

This looks a reasonably sensible technique to evade any detection situations. within the absence of Devtools, the malware exfiltrates users’ data to a far off C&C server. At this time, it once more bluffs the users with another pretend Google domain “google[.]ssl[.]lnfo[.]cc”.

Earlier this month, Sucuri conjointly noticed a malicious script ‘Magento Killer’ targeting Magento e-stores to steal data.

Leave a Comment