Zscaler ThreatLabz documents four under-documented groups carrying out payment card skimming against Magento and PrestaShop e-commerce stores, with activity since mid-2022 and a spike during the holiday season. The campaigns rely on heavily obfuscated JavaScript, attacker-controlled infrastructure, and domain impersonation to stealthily collect card data at checkout.
Keypoints
- Payment card skimming remains a prevalent threat to e-commerce stores, with campaigns targeting Magento and PrestaShop since July 2022.
- The attacks predominantly affect stores in the US, UK, Australia, and Canada, and tend to have a shelf life of more than one month.
- New skimming variants rely heavily on JavaScript obfuscation to evade detection.
- Group 1 and Group 2 skimmers focus on collecting card data from checkout pages and exfiltrating it to attacker-controlled servers.
- Group 4 uses highly obfuscated skimmers injected into legitimate jQuery libraries to blend in with normal traffic.
- Zscaler detects these campaigns under the JS.POS.Magecart family, highlighting ongoing web-based threats during peak shopping periods.
- The blog provides a wide set of indicators of compromise (IOCs), including domains, injected JS URLs, and exfiltration endpoints.
MITRE Techniques
- [T1583] Acquire Infrastructure – The attacker infrastructure includes attacker-registered domains hosting skimmer code. Quote: “…the JavaScript skimmer code was hosted on attacker-registered domains.” We also identified 2 unique domains used in this attack by the threat actor.
- [T1059.007] JavaScript – The skimmer uses JavaScript to monitor and interact with the checkout process (e.g., “setInterval” and event listeners). Quote: “Uses the setInterval() function to check every 1.5 seconds whether the current URL contains the string ‘/checkout/#payment’.”
- [T1056.003] Web Form Grabbing – The skimmer captures payment card information by examining HTML fields tied to the payment processor. Quote: “The skimmer captures the credit card information by searching for HTML fields corresponding to the payment processor used by the targeted store.”
- [T1041] Exfiltration Over C2 Channel – The stolen data is exfiltrated to attacker servers via HTTP POST/beacon mechanisms. Quote: “exfiltrates the information using the pixtar() function which creates an image tag and sets the source to the exfiltration URL.”
- [T1027] Obfuscated/Compressed Files and Information – Some skimmer variants are obfuscated to evade detection. Quote: “This second variant of the CC skimmer code was obfuscated…”
- [T1036] Masquerading – Several groups impersonate legitimate domains or CDN-like domains to blend in with normal traffic. Quote: “domains impersonate as content delivery networks (CDNs) in order to blend in with legitimate traffic.”
Indicators of Compromise
- Domains – modersecure[.]com, payment-analytics[.]info
- Injected JS URLs – modersecure[.]com/sources.200x/google-analytics.js, artmodecssdev[.]art/js/av/analytics-google-c82qllg46bw1g23ed2775c5fr9fa.js
- Exfil URLs – modersecure[.]com/sources.200x/analytic.php, artmodecssdev[.]art/secure/av/secure.php
- Group 2 Exfil URL – payment-analytics[.]info/validate/62b3bb447edb100b96c9e6c5