Security News > 2020 > November > Credit card skimmer fills fake PayPal forms with stolen order info
A newly discovered credit card skimmer uses an innovative technique to inject highly convincing PayPal iframes and hijack the checkout process on compromised online stores.
The skimmer will capture all order form data entered by the victims and will exfiltrate it to the attackers' servers.
This is where similarities with regular skimmer scripts end since the stolen order data is also later used to pre-fill fake PayPal payment forms that will be injected and displayed during the checkout process instead of legitimate forms.
The skimmer will also parse the order info before using it to fill the PayPal forms and "[i]f the data is no good, it actually sends a message back to the page on the victim's site," as Kraut found, effectively removing the malicious iframes from the checkout page.
After stealing the victims' payment data, the skimmer will click the order button behind the malicious iframe sending the victim back to the legitimate checkout process.