Cybercriminals leverage iframe-based phishing system to steal payment card data

• Researchers noted that attackers inject their credit card stealer scripts within every page of the hacked Magento websites and to display an iframe phishing form that asks customers to submit their banking details.
• However, the phishing form will be displayed only on the actual checkout page.

A security researcher from Malwarebytes, Jérôme Segura observed that attackers are leveraging iframe-based phishing system to steal payment card data from Magento sites.

Segura noted that attackers inject their credit card stealer scripts within every page of the hacked websites to display an iframe phishing form that asks customers to submit their banking details.

How does this work?

The Magento site has been hacked and the iframe-based credit card phishing script has been injected into all of its pages. However, the phishing form will be displayed only on the actual checkout page.

The injected code is present in all pages of the hacked site, but it will only trigger if the current URL in the address bar is the actual checkout page.

• The crooks first load their rogue iframe script to collect the payment card data, which is then validated and exfiltrated.
• Then, an obfuscated JavaScript is loaded from thatispersonal[.]com, a domain registered with REGISTRAR OF DOMAIN NAMES REG.RU LLC and hosted in Russia.
• After which, the validated and exfiltrated payment card data is sent via a POST request to the same Russian-hosted domain in an encoded format.

Worth noting

“As we have seen in this article, even e-commerce sites that do not collect payment data themselves can be affected when the attackers inject previously non-existent credit card fields into the checkout page. For online shoppers, this trick will be difficult to spot early on and perhaps only after being prompted for the same information again will they become suspicious,” the researcher said in a blog.