A suspicious activity was seen on a Magento site. The following checkout pages look slightly different with the one on the right being the suspicious site. It was found that a skimmer had injected its own credit card fields on the altered checkout page.
The text below the credit card field specifically triggered the researchers as it says:
“Then you will be redirected to PayuCheckout website when you place an order.”
Even though online merchants use such forms (including iframes) as part of their checkout pages, what’s suspicious is that the users will be redirected to another checkout page (this time legitimate) to enter their credit card details again.
Having to enter their details twice should be a red flag because it’s a common scenario in case of phishing sites.
Upon further research, Injected code was found to be present in all the PHP pages of that site, but it only triggered if the current URL in the address bar was the shopping cart checkout page (onestepcheckout).
It also loads another obfuscated long script ([hackedsite]_iframe.js) to process, validate, and then exfiltrate the user data.
Indicators of Compromise
Block the threat indicators at your respective controls