By Source Defense

An ongoing Magecart attack has been discovered on a Parisian travel accessory web store that uses the Kritec skimmer to create what analysts are calling the perfectly hijacked checkout page. 

Magecart – otherwise known as eSkimming or Digital Skimming – attacks are designed to skim information entered into payment forms on checkout pages before sending data back to a remote computer controlled by attackers. Attackers accomplish this by compromising the third- and fourth-party Javascript code used by nearly all websites to provide things like online shopping carts, forms, analytics, advertising, social sharing, and much more.

The Kritec Skimmer

The Kritec skimmer operates by intercepting the checkout process during online purchases. After a customer enters their payment details, the skimmer simulates a fake payment dialog, giving the impression that the payment has been processed. It then displays a fake error message, redirecting the victim to the actual payment page. During this process, the skimmer steals the customer’s payment card details.

“What we see here is the use of a ‘modal,’ which is a web page element displayed in front of the current active page,” said Jérôme Segura, director of threat intelligence at Malwarebytes. “The modal disables and grays out the background so that the user can focus on the presented element instead. This is an elegant way for website owners to keep their customers on the same website and have them interact with another form,” he said.

“The problem is that this modal is entirely fake and designed to steal credit card data. The threat actor used original logos from the compromised store and customized a … modal to perfectly hijack the checkout page.”

Kritec uses various techniques to evade detection, such as impersonating legitimate third-party vendors like Google Tag Manager. This makes detecting the skimmer in online stores difficult, allowing it to operate stealthily for extended periods. 

This latest attack comes just months after Malwarebytes discovered another web skimmer that collects browser fingerprint data, such as IP addresses and User-Agent strings, along with credit card information, likely in an attempt to monitor invalid users such as bots and security researchers. It also comes on the heels of warnings from Visa that eSkimming attacks are up 174% over the past six months

Targeting Online Stores

The threat actors behind the Kritec attack target various online stores. They use custom modals and similar domain names to impersonate legitimate businesses, making it difficult for customers to identify the faux prompts. 

The scope of these attacks poses significant risks to both the online stores and their customers. The potential financial impact on businesses can be enormous, potentially resulting in lawsuits, loss of brand reputation, and loss of customers’ trust. On the other hand, customers risk identity theft, fraudulent credit card transactions, and reputational damage.

Magecart attacks using the Kritec skimmer pose significant risks to online stores and customers. “We now believe this Kritec skimmer is part of the same compromises with injections into vulnerable websites where malicious code is placed within the Google Tag Manager script,” Segura said. “It is possible multiple threat actors are involved in those campaigns and customizing skimmers accordingly.”

Make Magecart Attacks a Thing of the Past
Comply with Upcoming PCI DSS 4.0 Requirements 

The Source Defense Client-Side Web Application Security Platform is an all-in-one, single,  and scalable system built for complete threat visibility, control, and prevention of Magecart/eSkimming attacks. With this one-of-a-kind technology, client-side threats are stopped in their tracks without your teams needing to lift a finger. Source Defense uses a prevention-first approach and real-time JavaScript sandbox isolation and reflection to prevent client-side attacks without having to alert analysts for a response. 

Source Defense uses real-time JavaScript sandboxing technology to create virtual pages that isolate the 3rd party scripts from the website. The virtual pages are an exact replica of the original ones, excluding what the 3rd parties are not supposed to see. We monitor all 3rd party script activities on the virtual pages. If the activity is within the premise of what they are allowed to do, we will transfer it from the virtual page to the original one. If not, we will keep their activity on the virtual pages isolated from the user and send a report to the website owner, alerting them of the 3rd party scripts violating their security policy. 

This is as close to ‘set it and forget it’ security and data privacy that you will see on the market. The Source Defense approach answers core requirements in PCI DSS 4.0 under sections 6.4.3 and 11.6.1

Cybersecurity analysts can rest easy at night — and engage in valuable activities during the workday — knowing that a critical portion of their job is being efficiently and automatically managed. Visibility is the first and most important part of any risk mitigation program. Source Defense is ready to provide you with a free website risk analysis within the next few days. Get moving with the Source Defense team to close this open gap in your eCommerce security.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.