Fake Google domain used in attacks to deploy skimmer on Magento sites

• The infected Magento site loads a JavaScript code from a malicious internationalized domain.
• The malicious code changes automatically if DevTools are toggled in Google Chrome or Mozilla Firefox.

Security researchers from Sucuri came across a compromised Magento-based site that was infected by means of a fake Google domain. The infected website contained a credit card skimming JavaScript code received from a malicious internationalized domain. The malicious domain is disguised as Google Analytics and is believed to be used in phishing attacks.

The website was reported to Sucuri researchers by its owner after it was blacklisted and was marked as a “Dangerous Site” by McAfee SiteAdvisor.

How does it work?

• The JavaScript skimmer code loaded from the malicious domain changes automatically if DevTools is enabled in Google Chrome or Mozilla Firefox.
• The code does not send any user input to the C2 server if DevTools is toggled on. If DevTools is off, the input data is sent to the fake Google domain. According to Sucuri researchers, the site visitors are presented with another fake Google domain.
• Furthermore, the card skimmer on the affected sites is believed to work on a dozen payment gateways.
• The malicious site hosting the skimmer code also contains another malicious code that affects the Magento admin interface.

Worth noting

Sucuri researchers believe that Magento-powered sites are the most attractive targets for credit card stealing attacks.

“During our analysis of hacked websites in 2018, we found that 83% of Magento websites were vulnerable at the point of infection. In an effort to obtain sensitive customer data and credit card information from ecommerce websites, attackers continue to leverage vulnerable Magento installations,” said the researchers.

In this case, there are no other known attack instances that used the same fake internationalized Google domain.