By Source Defense
An ongoing Magecart attack has been discovered on a Parisian travel accessory web store that uses the Kritec skimmer to create what analysts are calling the perfectly hijacked checkout page.
The Kritec Skimmer
The Kritec skimmer operates by intercepting the checkout process during online purchases. After a customer enters their payment details, the skimmer simulates a fake payment dialog, giving the impression that the payment has been processed. It then displays a fake error message, redirecting the victim to the actual payment page. During this process, the skimmer steals the customer’s payment card details.
“What we see here is the use of a ‘modal,’ which is a web page element displayed in front of the current active page,” said Jérôme Segura, director of threat intelligence at Malwarebytes. “The modal disables and grays out the background so that the user can focus on the presented element instead. This is an elegant way for website owners to keep their customers on the same website and have them interact with another form,” he said.
“The problem is that this modal is entirely fake and designed to steal credit card data. The threat actor used original logos from the compromised store and customized a … modal to perfectly hijack the checkout page.”
Kritec uses various techniques to evade detection, such as impersonating legitimate third-party vendors like Google Tag Manager. This makes detecting the skimmer in online stores difficult, allowing it to operate stealthily for extended periods.
This latest attack comes just months after Malwarebytes discovered another web skimmer that collects browser fingerprint data, such as IP addresses and User-Agent strings, along with credit card information, likely in an attempt to monitor invalid users such as bots and security researchers. It also comes on the heels of warnings from Visa that eSkimming attacks are up 174% over the past six months.
Targeting Online Stores
The threat actors behind the Kritec attack target various online stores. They use custom modals and similar domain names to impersonate legitimate businesses, making it difficult for customers to identify the faux prompts.
The scope of these attacks poses significant risks to both the online stores and their customers. The potential financial impact on businesses can be enormous, potentially resulting in lawsuits, loss of brand reputation, and loss of customers’ trust. On the other hand, customers risk identity theft, fraudulent credit card transactions, and reputational damage.
Magecart attacks using the Kritec skimmer pose significant risks to online stores and customers. “We now believe this Kritec skimmer is part of the same compromises with injections into vulnerable websites where malicious code is placed within the Google Tag Manager script,” Segura said. “It is possible multiple threat actors are involved in those campaigns and customizing skimmers accordingly.”
Make Magecart Attacks a Thing of the Past
Comply with Upcoming PCI DSS 4.0 Requirements
This is as close to ‘set it and forget it’ security and data privacy that you will see on the market. The Source Defense approach answers core requirements in PCI DSS 4.0 under sections 6.4.3 and 11.6.1
Cybersecurity analysts can rest easy at night — and engage in valuable activities during the workday — knowing that a critical portion of their job is being efficiently and automatically managed. Visibility is the first and most important part of any risk mitigation program. Source Defense is ready to provide you with a free website risk analysis within the next few days. Get moving with the Source Defense team to close this open gap in your eCommerce security.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.