A notorious credit card data theft technique has resurfaced. Hackers primarily target e-commerce sites, especially during sales, to exfiltrate information and resell it.
Hackers never miss the sales: the waves of purchases on e-commerce sites are the perfect opportunity to dig into the wallets of unwary customers. Investigating a notorious bank data theft technique dubbed Magecart, Malwerbytes cyber experts discovered “ a digital crime paradise “. They detail their investigation in a report published on January 9, 2023.
Magecart is a hacking method employed by several Russian-speaking groups. We speak more commonly of “skimmer” to define a malicious code infiltrating on sales sites. Once the victim types in their card number when purchasing the item, the malware exfiltrates the data to an external server. Here, all info is sent to Russian host named DDoS guard. The researchers found many platforms for reselling this data on these servers.
Several tens of thousands of credit card numbers — including the CCV on the back of the card — are for sale on these sites. If your bank has contacted you about attempted fraudulent purchases, it’s possible that you entered your information into a skimmer-infected site within the last few months. The price of the cards varies according to the establishment, the country or the subscription. Generally, they are sold between 25 and 90 euros.
Some clues to spot a skimmer
How do you know if you are giving your information to a hacker at the time of purchase? A few clues can alert you: A French purchasing platform that suddenly turns to English when it comes to filling in the information fields is suspicious “Says Jérôme Segura, director of threat research at Malwerbytes to Numerama. ” A spelling mistake, a defect in the layout that does not correspond to the usual site is also doubtfulx. Sometimes, we realize this after the fact: when we have entered our information and another page is then displayed to pay for our payment, it is probably the sign of a skimmer.. »
The concern is that in many cases, there is no clue to spot the hacker’s trap. ” Good skimmers are developed in such a way that victims do not realize there is a problem on this site », specifies Jérôme Segura.
As for the owners of the e-commerce platform, they can also work blindly, without realizing that malicious code has been implanted. The skimmer works regularly from the browser and requests often escape administrators. ” It happens that a site is infected for almost a year, without anyone realizing it “says the cyber expert.
Fraudulent purchases to launder money
Jérôme Segura launched his investigation by conducting “test” purchases on several platforms. The data he entered having landed in Russia, he began to dig into the source code of the sites. Until discovering the malicious lines, hidden in invisible characters in the csc files, containing the fonts and the layout, for example. While continuing his investigations, he came across a Magecart market: connection kits sold on forums for around 2,000 euros by Russian-speaking groups to attack e-commerce sites.
A whole ecosystem revolves around this card market. Platforms sarcastically named “BrianKrebs” – named after a famous cyber expert – resell the stolen data. Many cryptocurrency scams based on skimmers have also been spotted.
Sometimes hackers use “mules” to buy items with the stolen cards, then resell them to launder money. These orders are generally made in other countries: it is more complicated today for a Russian hacker to have a product delivered to his country.
Double authentication should warn you in the event of a fraudulent purchase, but beware, many e-commerce sites only alert your bank above a certain amount.
We need you to build the future of Numerama: take part in our survey!
