Threat Research

Magecart threat actor rolls out convincing modal forms

Securonix

Researchers detail a Magecart campaign in which a threat actor uses a custom fraudulent modal to hijack checkout and steal credit card data from compromised Prestashop stores. The skimmer relies on a well-crafted modal, dynamic HTML, obfuscated code, and a redirect flow to third‑party processors such as Mercado Pago and Dalenys/Payplug. #Kritec #Magecart #MercadoPago #Dalenys #Payplug #PrestaShop

Keypoints

  • The attacker injects a fraudulent modal overlay at checkout to capture payment card details from victims.
  • The modal is designed to look authentic, using the store’s logos and even French language for form fields.
  • Compromised stores show a pattern of loading a custom script (store-loader.js) via injections, with multilingual fraudulent modals observed across sites.
  • The skimmer HTML content is generated dynamically and revealed only after decoding obfuscated content (decodeURIComponent and Base64 techniques).
  • The legitimate payment flow is redirected to a third‑party processor (Dalenys/Payplug) after initial capture, with a brief fake error message shown to users.
  • A session cookie is dropped after data theft to prevent re-display of the modal on subsequent attempts.
  • The activity appears ongoing and widespread, involving multiple domains and possibly multiple actors using similar loader patterns.

MITRE Techniques

  • [T1056.003] Web forms – The skimmer uses a fake modal overlay to capture credit card data during checkout. Quote: “The problem is that this modal is entirely fake and designed to steal credit card data.”
  • [T1140] Deobfuscate/Decode Files or Information – The skimmer is heavily obfuscated and HTML content goes through a decodeURIComponent routine. Quote: “the skimmer is rather complex and heavily obfuscated but we can see that HTML content is generated dynamically and goes through a decodeURIComponent routine.”

Indicators of Compromise

  • [Domain] Domain names – genlytec[.]us, shumtech[.]shop, zapolmob[.]sbs, daichetmob[.]sbs, interytec[.]shop, pyatiticdigt[.]shop, stacstocuh[.]quest
  • [IP] IP addresses – 195.242.110[.]172, 195.242.110[.]83, 195.242.111[.]146, 45.88.3[.]201, 45.88.3[.]63
  • [YARA rule] YARA rule – rule kritecloader { strings: $string = “‘fetchModul’” $string2 = “‘setAttribu’” $string3 = “‘contentWin’” $string4 = “‘zIndex’” condition: all of them }

Read more: https://www.malwarebytes.com/blog/threat-intelligence/2023/04/kritec-art