During a routine investigation, the researchers found the web skimmer that pretends to be related to Sucuri, the malicious code was injected into the database of a Magento site.
The skimmer is added to the onclick event of the checkout button and onunload event of the web page.
Upon execution, the code gathers any data from form fields, such as credit card and billing details, and exfiltrates it to a remote gateway using a GET request with plaintext parameters.
“The payment data exfiltration takes place via an <img> tag whose src parameter is changed to hxxps://terminal4.veeblehosting[.]com/~sucurrin/i/gate.php, with relevant GET parameters such as card number, CVV, and expiration date stored in plain text.” reads the analysis published by Sucuri.
“terminal4.veeblehosting[.]com is neither a malicious site nor a hacked site. It’s a host name of some shared servers (220.127.116.11, 18.104.22.168) belonging to the Dutch hosting provider Veeble.”
This gateway is hosted on Dutch hosting provider Veeble and operated under the account name “sucurrin.”
The skimmer works on a site that belongs to the “sucurrin” Veeble account that resembles the name of Sucuri. Experts noticed that terminal4.veeblehosting[.]com/~sucurrin/ redirected to the legitimate Sucuri website (https://sucuri.net/) to avoid raising suspicion.
According to X-Force Threat Intelligence, the same software skimmer was injected into at least three website belonging to Harley-Davidson Military, Nappy Land National Childcare Supplier, and Soccer4All.
At the time it not clear if the skimmers are still active on this site.
“To filter out bad actors masquerading as known brand and mitigate the risk of malicious credit card skimmers, consider employing integrity control and security monitoring on your website to mitigate an attack. A good website firewall can help to minimize the risk of infection in the first place.” concluded Sucuri.
(SecurityAffairs – hacking, software skimmer)