The Magecart group has compromised the website of the photography and imaging retailer Focus Camera. The hack took place last year, the hacker planted a software skimmer on the website to steal payment card data of users that purchased the products on the portal.
Like other Magecart attacks (i.e. British Airways) the attackers registered a domain resembling a legitimate brand or product, in this case, they used the “zdsassets.com” a domain that resembles ZenDesk’s website “zdassets.com.”
The attackers used the script to load a payload encoded using base64 and developed to steal personal and payment card data (email, customer name, address (billing, and shipping), phone number, and card details (number, expiration date, CVV code).
“Based on some DNS telemetry we have access to, this C&C domain has been resolved 905 times since it was created, which may be an indication of the number of victims of this card skimming operation.” reads the analysis published by the expert. “It is possible the same C&C domain is being used across multiple compromised shopping sites and campaigns – At this time, we don’t have any telemetry to prove it one way or the other.”
The expert noticed that that the script was stealing data of customers who check out as a guest, he did not test the checkout process for registered users.
Juniper researchers reported their findings to the Focus Camera website that removed the malicious code.