• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Shade Ransomware Hits High-Tech, Wholesale & Education Sectors in Multiple Countries
May 24, 2019
Rewterz Threat Alert – Lazarus New Backdoor Power-task activity Targeting Financial Sectors
May 24, 2019

Rewterz Threat Alert – Skimmer Acts as Payment Service Provider via Rogue iframe to Harvest Credit Card Information

May 24, 2019

Severity

Medium

Analysis Summary


A suspicious activity was seen on a Magento site. The following checkout pages look slightly different with the one on the right being the suspicious site. It was found that a skimmer had injected its own credit card fields on the altered checkout page.

image-1558695234.png

The text below the credit card field specifically triggered the researchers as it says:

“Then you will be redirected to PayuCheckout website when you place an order.”

Even though online merchants use such forms (including iframes) as part of their checkout pages, what’s suspicious is that the users will be redirected to another checkout page (this time legitimate) to enter their credit card details again.

Having to enter their details twice should be a red flag because it’s a common scenario in case of phishing sites.

Upon further research, Injected code was found to be present in all the PHP pages of that site, but it only triggered if the current URL in the address bar was the shopping cart checkout page (onestepcheckout).

If the right conditions are met, an external piece of JavaScript is loaded from thatispersonal[.]com. However, directly browsing to this URL without the correct referer (one of the hacked Magento sites) will return a decoy script instead. The complete script is largely obfuscated and creates the iframe-box we saw above for harvesting credit card details.

It also loads another obfuscated long script ([hackedsite]_iframe.js) to process, validate, and then exfiltrate the user data.

Impact

  • Credential theft
  • Data Exfiltration
  • Potential financial loss

Indicators of Compromise

URLs

  • thatispersonal[.]com
  • top5value[.]com
  • voodoo4tactical[.]com

Remediation

Block the threat indicators at your respective controls

  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.