High
A malicious script used on a Magento website titled gstaticapi, which targeted checkout processes to capture and exfiltrate stolen information.
To obtain sensitive details, the malware loads external javascript whenever the URL contains “checkout” ?— this location typically belongs to the step in Magento’s checkout process where users enter their sensitive credit card information and shipping details. Both the string “checkout” and the remote URL are based64-encoded in an attempt to avoid detection. This second-stage JavaScript is heavily obfuscated and acts as a skimmer, identifying and exfiltrating credit card information and billing details to the attacker.