New Magecart Attack Using Modal Forms
Attackers are constantly improving their digital skimming techniques, and it's important for us to stay aware of the evolving threats. Recently, cybersecurity researchers at Malwarebytes discovered a new Magecart campaign - called Kritec - which deploys "Modal Forms" to deceive website visitors and to steal their payment data. These forms appear on top of the existing website content, appearing to create a seamless checkout experience for customers. However, these forms are actually designed to collect sensitive payment data and Personally Identifiable Information without the user's knowledge.
What's interesting and concerning about this campaign is the attention to detail the attackers have put into creating a realistic "customer experience." The modal payment form is meticulously designed to match the merchant's branding, complete with an animated brand icon, making it difficult to distinguish from the legitimate payment form. Once customers enter their details into the infected form, they receive a fake error message before being redirected to the genuine payment form.
It's crucial to understand the significance of these types of attacks. They continue to persist because they exploit the growing popularity of eCommerce, as well as the limited cyber security knowledge within the eCommerce community. The attackers behind these campaigns are constantly evolving their techniques and finding new ways to compromise merchants.
Typically the criminals target sites that exhibit one or more of the following characteristics
- Exposed Admin Page - in the default location for the eCommerce platform. This makes it easy to find and simple to launch a brute force attack to gain admin credentials to the site. Once they’re in, you can expect them to hide backdoors etc to enable them to persist with their attack.
- Missing Security Patches - once a vulnerability has a security patch released, the whole community (goodies and baddies) are usually informed. Any websites slow to deploy the security patch then become easy targets.
- End of life software - software that is no longer supported will no longer get security patches issued for vulnerabilities. These sites become easy targets and only become more vulnerable over time as more issues are identified.
Identifying these sorts of attacks is exceedingly difficult without a proactive solution monitoring the website - usually affected websites only find out once their bank alerts them to the fact that there has been fraud associated with a number of cards all used at their website, strongly indicating a Common Point of Purchase.
With an appropriate, proactive monitoring solution, identifying and stopping the attack early is simple.
If you’re concerned about the security of your site - or if you want to get proactive about security, you can check your website security here with ThreatView: