Two web skimmers have been discovered on the payment webpages of Costway, one of the top retailers in North America and Europe, which sells appliances, furniture and more. The skimmers are targeting consumers’ credit-card payment details.
In a twist, researchers say one of these web skimmers is piggybacking on top of the other, to take over the fake forms that had previously been injected onto Costway’s site. The tactic gives the cybercriminals behind the piggybacking skimmer an easy way to harvest credit-card details – without doing the heavy lifting, said researchers.
The website under attack runs on the no-longer-maintained Magento 1 e-commerce software branch. Magento is an e-commerce platform for online merchants that’s built on open-source technology. Support for Magento 1 ended last June, with the thousands of retailers worldwide operating on the platform being urged to update to the more mobile-friendly Magento 2 iteration.