Magecart Skimmers and Stolen Card Details Hosted on Salesforce’s Heroku Cloud

• Security experts have spotted signs of Magecart threat actors exploiting Salesforce's Heroku cloud application platform to store malicious scripts and stolen card details.
• Salesforce’s Heroku provides a platform as a service (PaaS) for developers to build and manage applications in the cloud.

Researchers from Malwarebytes' Threat Intelligence team found several instances of Heroku-hosted Magecart skimmers. Most of these scripts were observed to be used in campaigns this week.

How did this happen?

The Heroku Freemium model allowed attackers to register for a free account and use it as a web hosting service for free.

• The attackers are said to have crafted the malicious web app in such a way that it harvested the credit card information from customers and sent it back to the storage on Heroku belonging to the attackers.
• The data was found to be sent to Heroku in an encoded format.
• Researchers believe that the data was hosted on Heroku for about a week. Considering that this is not the first time cloud services have been exploited by payment card skimmers, we need to consider stricter security measures.

“Its goal is to monitor the current page and load a second element (a malicious credit card iframe) when the current browser URL contains the Base64 encoded string Y2hlY2tvdXQ= (checkout),” said Jérôme Segura from Malwarebytes.

After harvesting the required details, an error message will be displayed to the victims asking them to reload the page. In cases like this, it is not easy for an average end-user to spot attacks as there are no obvious symptoms.

What is the situation now?

The scripts were reported to the Salesforce Abuse Operations team that removed all of them immediately.

With Magecart attacks being reported frequently, including one at Sweaty Betty today, both organizations and individuals must exercise caution when dealing with financial information online.