Security researchers discovered a web-skimming operation that claimed more than 8.8 million victims worldwide. Since January 2022, the criminals attacked legitimate Web shops, injecting malware into the checkout process to steal credit card information.

Magecart

The campaign is an example of a Magecart attack. Magecart refers to a collection of criminal groups that inject malicious JavaScript code into legitimate online stores. The name originated in attacks on sites built on the Magento platform, but the methods have spread to many other e-commerce systems over time. Silent Push’s team traced the operation to a domain, cdn-cookie.com, hosted on a so-called bullet-proof hosting service formerly known as Stark Industries and now renamed THE[.]Hosting under Dutch ownership.

Analysis of the malware

When a customer visits a compromised checkout page, the injected script – often called recorder.js or tab-gtm.js – executes in the browser. It first checks the Document Object Model (DOM) for an element called wpadminbar, a toolbar that appears on WordPress sites when an administrator is logged in. If the toolbar is detected, the script removes itself from the page and stops executing, a technique designed to avoid detection by site administrators.

The malware is activated when the DOM of the page changes, which happens as soon as a user performs an action on the site. Next, the script checks to see if the user has selected Stripe as the payment method. If Stripe is selected, the script looks for the flag wc_cart_hash in the localStorage of the browser. The mechanism ensures that the user is targeted only once.

When the flag is missing, the script replaces the legitimate Stripe form with a fake form that appears identical to the real one. The fake form collects the credit card and contact information and sends it the domain lasorie.com. Because the script hides the original Stripe fields, the payment gateway reports an error at checkout, making it appear that the customer has entered incorrect information. If the user tries again, the malware does not become active again, so the payment works the second time and the user does not realize anything.

Distribution

Worldwide, there are more than 8.8 million victims of this online skimming. Webshop owners can protect their customers by preventing their website from being hacked by ensuring that their website is hardened, security updates are performed on time and the website is security tested, such as with a pen test.

Want to know if your webshop is secure? Get in touch with us. We would love to help you!