Threat actors are using fake but convincing Google domains to fool website visitors into thinking infected websites are safe when making online transactions.
An example of the code is below:
“Website visitors may see a reputable name (like “Google”) in requests and assume that they’re safe to load, without noticing that the domain is not a perfect match and is actually malicious in nature,” the researchers say.
However, the code will change tactics depending on whether developer tools in either the Google Chrome or Mozilla Firefox browser are in use. The skimmer will not attempt to grab any information in these scenarios, which is likely an attempt to avoid detection.
The card skimmer supports “dozens” of payment gateways, Sucuri says, and if developer tools are not detected, stolen information is sent to a remote server — once again disguised with another fraudulent domain, google[.]ssl[.]lnfo[.]cc.
Card skimmers, installed through vulnerable e-commerce websites, are a widespread occurrence. In July, RiskIQ said a recent ‘spray-and-pray’ campaign proved to be successful for the Magecart hacking group, which had managed to infect over 17,000 websites with card-skimming malware in just a few months.
Magento users, in the same way as WordPress and Drupal, are always advised to keep their software builds up-to-date. Magento domains are a common target of cyberattackers seeking to harvest financial data, with an estimated 83 percent of Magento websites reported as vulnerable to skimmers in 2018.
ZDNet has reached out to Google and will update if we hear back.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0