Rewterz Threat Alert – Skimmer Acts as Payment Service Provider via Rogue iframe to Harvest Credit Card Information

Severity

Medium

Analysis Summary

A suspicious activity was seen on a Magento site. The following checkout pages look slightly different with the one on the right being the suspicious site. It was found that a skimmer had injected its own credit card fields on the altered checkout page.

The text below the credit card field specifically triggered the researchers as it says:

“Then you will be redirected to PayuCheckout website when you place an order.”

Even though online merchants use such forms (including iframes) as part of their checkout pages, what’s suspicious is that the users will be redirected to another checkout page (this time legitimate) to enter their credit card details again.

Having to enter their details twice should be a red flag because it’s a common scenario in case of phishing sites.

Upon further research, Injected code was found to be present in all the PHP pages of that site, but it only triggered if the current URL in the address bar was the shopping cart checkout page (onestepcheckout).

If the right conditions are met, an external piece of JavaScript is loaded from thatispersonal[.]com. However, directly browsing to this URL without the correct referer (one of the hacked Magento sites) will return a decoy script instead. The complete script is largely obfuscated and creates the iframe-box we saw above for harvesting credit card details.

It also loads another obfuscated long script ([hackedsite]_iframe.js) to process, validate, and then exfiltrate the user data.

Impact

• Credential theft
• Data Exfiltration
• Potential financial loss

Indicators of Compromise

URLs

• thatispersonal[.]com
• top5value[.]com
• voodoo4tactical[.]com

Remediation

Block the threat indicators at your respective controls