"Hackers Hijack Legitimate Sites to Host Credit Card Stealer Scripts"

A new Magecart credit card theft campaign uses legitimate websites as "makeshift" command-and-control (C2) servers in order to inject and hide skimmers on targeted eCommerce sites. A Magecart attack occurs when hackers infiltrate online stores and inject malicious scripts that steal customers' credit cards and personal information during checkout. According to researchers at Akamai who are monitoring this campaign, organizations in the US, UK, Australia, Brazil, Peru, and Estonia have been compromised. Many of the victims did not realize they had been compromised for over a month, demonstrating the stealthiness of these attacks. The first stage of the attack is to identify vulnerable legitimate sites, hack them to host malicious code, and use them as C2 servers. By distributing credit card skimmers through legitimate websites with a good reputation, threat actors can evade detection and blocks, as well as avoid the need to establish their own infrastructure. The attackers then inject a small JavaScript snippet into the websites that retrieves malicious code from previously compromised websites. To increase the stealthiness of the attack, the threat actors obfuscated the skimmer with Base64 encoding, which also hides the host's URL. The structure is built to resemble that of Google Tag Manager or Facebook Pixel. This article continues to discuss the new Magecart credit card stealing campaign.

Bleeping Computer reports "Hackers Hijack Legitimate Sites to Host Credit Card Stealer Scripts"