Card skimming has existed prior to the mainstream internet and is experiencing a revival as financial fraudsters recognise new potential to combine physical world data theft with online intrusion to steal even more money and information than ever. Only a week ago, it was announced that over 500 online retail sites were victims of a large "card skimming" incident, in which threat actors placed a device that allowed them to duplicate and steal the data from valid debit and credit cards as they were used for purchases.
Card skimming fraudsters used to implant a physical device into ATMs or payment terminals to steal information from genuine consumers' payment cards. Nowadays, since online shopping is more popular than ever, cyber thieves are utilising malware placed into the checkout pages of online commerce sites to acquire credit card information, which they can then resell or use in their own nefarious schemes.
Sansec, a malware and vulnerability detection firm that works with over 7,000 online retailers, was among the first to notice this fraudulent card skimming activity earlier this month. The vendor proposes "cleaning" the affected retail sites in order to remove the harmful code, but experts fear that these cyber-skimmers may just shift their strategy and look for "backdoors" through which they can implement their viruses.
Many of these new card-skimming attacks, as well as other card information theft tactics where the card is not physically present at the moment of transaction, have been linked to the Magecart cybercriminal gang. Furthermore, if mobile phones begin to have card readers, this situation may worsen.
The cybersecurity firm was able to speak with the administrators of the hijacked websites, according to another report by Ars Technica. They noticed that the hackers used a SQL injection flaw as well as a PHP object injection attack. Both were apparently using Quickview, a Magento 2 extension that allows buyers to quickly view product information without having to load the listings.
The hackers were able to add an additional validation rule to the customer_eav_attribute table by misusing the Magento plugin. Furthermore, the credit card skimming group injected a payload onto the site. In order for the code to run successfully, the hackers must first "unserialize" the data on Magento. They would then log in as a new guest on the website.