exit icon
Press enter to confirm search term
Online payment security
Ecommerce

JavaScript Skimming Targeting Ecommerce websites

arrow down

A Chinese IT Firm, Qihoo 360 Netlab has discovered a new skimming attack that has injected malicious JavaScript into the payment sections of 105 ecommerce websites is stealing credit card and other customer data.

The investigation started in October 2018, when a domain name magenta-analytics[.]com appeared on their radars. initially low on traffic, they started noticing that the IP started moving around from the “United States – Arizona” to “Russia – Moscow”, then to “China – Hong Kong”.

What Happened?

The attack is a pretty simple javascript code. As soon as the JS is loaded, a timer is set and the TrySend function is called every 500ms to try to get input data such as Number/Holder/Date/CVV, etc. Once successful, it finally calls SendData to report the data to it’s parent (https://magento-analytics[.]com/gate.php). The other code in the URLS, whether it is a 13-bytes hash-like JS, or a specially named JS such as powermusic.js/monsieurplus.js/powermusic[.]js, have functions calling the same snippet.

We must inform the readers at this point, that the website magneto-analytics does not seem to be directly related to the popular ecommerce portal Magento. The same code has affected over 105 websites, the most popular of them are:

imitsosa[.]com
alkoholeswiata[.]com
spieltraum-shop[.]de
ilybean[.]com
mtbsale[.]com
ucc-bd[.]com

Our recommendations, online security affects everyone. Always double check while making payments online. This also applies to people using the same internet infrastructure as yours.