Researchers discover new rogue iFrame phishing technique targeting payments

The technique is the latest in a long line of attacks targeting online payments

Hackers are stealing credit card data through a recently discovered iframe phishing technique, according to researchers.

The malicious code, identified by Malwarebytes security researcher Jérôme Segura, is injected into every page of a hacked website and asks customers to enter their credit card information.

During a web crawl, Segura discovered suspicious activity from a site running the Magento Ecommerce Platform that had been compromised by the skimming technique.

Although this isn't the first time that Magento has been affected by skimming code, what sets this technique apart is that it displays a credit card phishing form page and redirects customers to a payment service provider.

AI & Machine Learning Live is returning to London on 3rd July 2019. Hear from the Met Office's Charles Ewen, AutoTrader lead data scientist Dr David Hoyle and the BBC's Noriko Matsuoka, among many others. Attendance is free to qualifying IT leaders and senior IT pros, but places are limited, so reserve yours now.

"The crooks first load their own innocuous iframe to collect the credit card data, which is then validated before being exfiltrated," wrote Segura in a blog post.

Segura added that "injected code is present in all the PHP pages of that site" and that "it will only trigger if the current URL in the address bar is the shopping cart checkout page (onestepcheckout)".

The researcher continued: "If the right conditions are met, an external piece of JavaScript is loaded from thatispersonal[.]com, a domain registered with REGISTRAR OF DOMAIN NAMES REG.RU LLC and hosted in Russia.

Once the skimmer is injected into the payment page, it can steal any data that is entered and immediately send it to the crooks

"It's worth noting that directly browsing to this URL without the correct referrer (one of the hacked Magento sites) will return a decoy script instead. The complete script is largely obfuscated and creates the iframe-box we saw above for harvesting credit card details at the right place on screen."

The process, according to Segura, continues with another long and obfuscated script where "hackedsite" contains name of the compromised e-commerce site.

Segura added: "Its job is to process, validate, and then exfiltrate the user data. That data is sent via a POST request to the same malicious domain in a custom encoded format."

As Segura noted, this skimmer has evolved over time and hasn't always been used for the rogue iframe technique.

"Historical scans archived on urlscan.io show some changes with obfuscation going from a hex-encoded array to string manipulation using split and join methods," said Segura.

"Criminals have many different ways of stealing data from online shoppers with web skimmers. While supply-chain attacks are the most damaging because they usually affect a larger number of stores, they are also more difficult to pull off.

"Compromising vulnerable e-commerce sites via automated attacks is the most common approach. Once the skimmer is injected into the payment page, it can steal any data that is entered and immediately send it to the crooks."

Segura concluded that it will be difficult for online shoppers to spot this technique and "perhaps only after being prompted for the same information again will they become suspicious".

Delta is a new market intelligence service from Computing to help CIOs and other IT decision makers make smarter purchasing decisions - decisions informed by the knowledge and experience of other CIOs and IT decision makers.

Delta is free from vendor sponsorship or influence of any kind, and is guided by a steering committee of well-known CIOs, such as Charles Ewen, Christina Scott, Steve Capper and Laura Meyer.

Ten crucial technology areas are already covered at launch, with more data appearing and more areas being covered every week. Sign-up here for your free trial of the Computing Delta website.