Security News

A newly discovered credit card skimmer uses an innovative technique to inject highly convincing PayPal iframes and hijack the checkout process on compromised online stores. The skimmer will capture all order form data entered by the victims and will exfiltrate it to the attackers' servers.

Just as seasonal online shopping kicks into high gear, new variants of the point-of-sale Grelos skimmer malware have been identified. Over time new actors began to co-opt the Grelos skimmer and reuse some of the original domains used to host the malware.

Cybercriminals have planted a payment card skimmer on the websites of several organizations using the Playback Now conference platform, Malwarebytes reported on Thursday. The customer websites hosted on it - customers receive a dedicated website which they can use to serve their content - had been injected with a payment card skimmer that allowed the attackers to steal the financial information of users purchasing conference materials from those sites.

Hackers associated with the "Fullz House" group have compromised the website of Boom! Mobile and planted a web skimmer, Malwarebytes reports. The attack on Boom! Mobile, Malwarebytes reveals, involved the injection of one line of code containing a Base64 encoded URL designed to load a JavaScript library from a remote domain used in a previous attack.

A JavaScript skimmer identified earlier this year uses dynamic loading to avoid detection by static malware scanners, Visa warns. The skimmer is basic, containing the expected components and functionality of such a kit, namely an administration panel, an exfiltration gateway, and a skimming script generator, but has an advanced design, suggesting that it is the work of a skilled developer, Visa notes in a security alert.

The e-commerce card-skimming landscape has a new wrinkle: Cybercriminals affiliated with the Magecart collective are using encrypted messaging service Telegram as a channel for sending stolen credit-card information back to its command-and-control servers. "Telegram is a popular and legitimate instant messaging service that provides end-to-end encryption, [and] a number of cybercriminals abuse it for their daily communications but also for automated tasks found in malware." He added, "The novelty [here] is the presence of the Telegram code to exfiltrate the stolen data."

The American Payroll Association says user information was stolen after attackers managed to inject a skimmer on its website. A payroll education, publications, and training provider, APA helps professionals increase their skill, offering payroll conferences and seminars, resources, and certification.

Cybersecurity researchers today highlighted an evasive phishing technique that attackers are exploiting in the wild to target visitors of several sites with a quirk in domain names, and leverage modified favicons to inject e-skimmers and steal payment card information covertly. Called an internationalized domain name homograph attack, the technique has been used by a Magecart group on multiple domains to load the popular Inter skimming kit hidden inside a favicon file.

A group of cybercriminals managed to hide their web skimmer in the EXIF metadata of an image that was then surreptitiously loaded by compromised online stores, Malwarebytes reveals. Although image files have been long used to carry malicious code and exfiltrate data, it's unusual to have web skimmers hidden in image files.

A Magecart credit-card skimmer was used to attack online customers of the retailer Claire's for a month and a half, according to researchers. "Following common Magecart malpractice, payment skimmers were injected and used to steal customer data and cards," according to Sansec.