Web Skimmer Steals Card Data Already Stolen by Other Hackers

Malwarebytes specialists have discovered an interesting MageCart script (web skimmer) that not only infects online stores and steals visitors’ credit card data, but also parasitizes on malware deployed by other hackers.

Originally, the name MageCart referred to a single hacker group that was the first to inject web skimmers (malicious JavaScript) into online store pages to steal credit card data. However, this approach proved so successful that many copycats soon appeared, and the term MageCart became a generic name for this entire class of attacks.

Researchers found the new skimmer while investigating a wave of breaches affecting online stores running the outdated Magento 1 platform. While the presence of malware on such sites is not surprising, the malicious code infecting them was particularly interesting.

“The attackers developed a special version of the script that is aware of sites already infected with another skimmer for Magento 1. The second skimmer simply collects credit card data from already existing fake forms that were injected into the site by previous attackers,” Malwarebytes analysts report.

Fake Forms and Malicious Code

One of the victims of these attacks was Costway, a company using Magento 1 for its online stores in France, the UK, Germany, and Spain. The first hacker group breached the company’s sites and injected fake payment forms to steal customers’ financial data. The second hacker group then uploaded their own custom web skimmers from the domain securityxx[.]top onto these sites. One script collects data from the existing skimmer of the first group, while the other activates only if the store has been cleaned of the malware introduced during the initial Magento 1 breach.

Traffic from Three Skimmers

As a result, two hacker groups managed to inject three different MageCart scripts into the compromised store sites. Researchers note that such situations are not uncommon, and MageCart groups often compete with each other, destroying or attempting to use the malware of their “colleagues.”