Account Takeover Fraud , Card Not Present Fraud , Cybercrime

Card Stealer Malware Uses New Evasion Technique

JavaScript Loaded by Malware From Blocked Domains
Card Stealer Malware Uses New Evasion Technique

A new card stealer malware campaign that loads JavaScript malware from blocked domain lists to evade detection is targeting e-commerce sites that run Adobe's Magento software, security firm Sucuri reports.

See Also: Live Webinar | Digital Doppelgängers: The Dual Faces of Deepfake Technology

Sucuri says one of its clients reported receiving warnings from its antivirus program when navigating to its checkout page. Researchers then found that threat actors were loading the JavaScript from at least 60 blocked domains that had been blacklisted for distributing carding malware.

The threat actors further obfuscated the malicious script by making it appear as if JavaScript tied to a website animation component.

"At first glance, it looks like some sort of obfuscated JavaScript related to animation, which isn’t all that uncommon to see and often looks malicious when it’s really quite benign," the researchers note. "However, upon closer inspection we uncovered that this was actually the payload of the infection."

The researchers determined that the malware consisted of three main components: an obfuscation payload, decryption function and execution of decryption call.

"This example showed a creative use of animation CSS styles and the onanimationstart [an event handler for animationstart events]," the report notes. "It allowed the attackers to avoid the use of simple script tags, which is the first thing that security analysts check when searching for a JavaScript injection in Magento environments."

JavaScript Skimming

Many e-commerce sites have been hit by JavaScript card stealer campaigns.

For instance, in May, Magecart Group 12 used an updated attack technique to gain remote administrative access to sites that run an older version of Adobe's Magento software, Malwarebytes Labs’ Threat Intelligence Team reported (see: Magecart Skimming Tactics Evolve).

In September 2020, researchers warned that about 2,000 sites that use the 12-year-old Magento 1 e-commerce platform had been targeted by JavaScript skimmers designed to steal payment card data during the online checkout process (see: Payment Card Skimming Hits 2,000 E-Commerce Sites).

Adobe Magento is one of the world's most widely used e-commerce platforms, with about 250,000 users, according to Adobe's website.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.