Experts at Sucuri discovered threat actors using fake Google
“The malicious user purposely selected the domain name with the intention of deceiving unsuspecting victims.
The attackers are using internationalized domain names (IDNs) to remain under the radar and camouflage servers hosting the skimmer script.
Some characters with different ASCII codes appear to be the same, this trick is used by attackers like
The card skimming script injected in the fake Google domains capture input data using the document
Experts pointed out that the skimmer determines the type of browser
In the presence of Chrome or Firefox web browsers, the skimmer script will not send captured data to the C2 server to avoid detection.
Experts noticed in the Magento’s core_config_data table a malicious code used to store configuration values from the Magento admin interface.
A few days ago, security experts at Sanguine Security have uncovered a new large-scale payment card skimming campaign that already hacked 962 online stores running on the Magento CMS. Security expert Micham spotted another attack attributed to the Magecart gang, hackers injected a skimmer script in the The Guardian via old AWS S3 bucket and exploiting wix-cloud[.]com as a skimmer gate.
According to RiskIQ, since April 2018, Magecart hackers adopted a new tactic that relies on misconfigured Amazon S3 buckets. These buckets allow anyone with an active Amazon Web Services account to read or write them.
Security firms have monitored the activities of a dozen Magecart groups at least since 2015. The gangs use to implant skimming script into compromised online stores in order to steal payment card data on, but they are quite different from each other.
According to a joint report published by RiskIQ and FlashPoint, some groups are more advanced than others, in particular, the gang tracked as Group 4 appears to be very sophisticated.
(SecurityAffairs – Magecart, fake Google Domains)