Scammers exploit shopping gateway via magecart attacks to extract credentials from shoppers buying online.
In a blog, Malwarebytes Labs highlighted how cybercriminals were targeting the e-commerce industry by stealing the residential addresses of individuals through magecart attacks on online shoppers.
Besides stealing card and payment data, researchers also detected an increased reach to various geolocations.
What magecart attacks on online shoppers entails
Magecart refers to hacker groups that use skimming techniques to steal personal data. All the details entered on the payment forms are scraped using digital skimmers.
In this case, a legitimate Cloudflare endpoint API was found to be exploited to parse the results to get the shopper’s IP address and browser user agent.
Fingerprinting effort found in magecart attacks
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/22.214.171.124 Safari/537.36. According to the blog, via the sample, a hacker may be able to determine the following:
- The system is running Windows 10
- With the 64-bit version
- And the browser is Chrome
- Chrome version 110
Fingerprinting involves collating operating system information understandably for launching specific cyberattacks.
The use of iframes was also found to target checkout information. However, it would not work if the browser’s local storage did not have a font item that works like cookies and detects returning page visitors.
Gavin Wright, technical writer at TechTarget detailed, “An inline frame (iframe) is a HTML element that loads another HTML page within the document. It essentially puts another webpage within the parent page.”
Iframes are used to launch child iframes to embed videos, web analytics advertisements, etc. Iframes in the magecart attack on online shoppers were used by hackers to load another page in an existing parent page to copy the clicks made by users, steal page information, and potentially install malware.
The above image shows how the magecart attack camouflaged with legitimate pages to steal VISA card details of shoppers.
The figure below shows the IP address accessed in the magecart attack on online shoppers along with the user-agent (UA) string. UA strings in the HTTP work in coordinating end-user interaction. In this case, the interaction of the shopper in sending banking data.
Researchers argued that getting a new card after credentials are compromised may serve little to no purpose as sensitive personal data that gives way to unauthorized access is already pilfered by cybercriminals.
They also found the collection of IP addresses after all the other data in the magecart attack on shoppers was because they wanted to filter real shoppers from bots and security researchers.