Skimming attack Shopify BigCommerce WooCommerce Zencart

Dutch ecommerce malware and vulnerability detection company Sansec claims they found a new digital credit card skimmer that also has affected hosted online stores on Shopify and BigCommerce. The skimmer code was also found on self-hosted online stores running Zencart and WooCommerce open source systems.

Online skimming attacks are also known as Magecart attacks. In a Magecart attack, personal transaction data is intercepted during the checkout phase of the infected online store and sent to the hacker group that developed the exploit. The personal data could be sold or traded on the darknet or used by the hacker(s) for their own purpose.

Typically digital commerce skimming attacks are more easily found on self-hosted open-source platforms, especially older systems such as the Magento 1 Community Edition that is no longer supported by the original developers and may have old unpatched vulnerabilities.

What makes this skimming attack so unique is that it involves multiple platforms, including two of the largest hosted commerce platforms in Shopify and BigCommerce. Usually hosted platforms do not allow custom Javascript on checkout pages, which is typically required for these skimmers to work.

How Does This Skimming Attack Work?

In this case, the hackers evaded this restriction by displaying a fraudulent payment form and recording the customer keystrokes (credit card and other personal details) before they entered the actual checkout page.

Sansec PayPal skimmer example
Source: Sansec

Once the data was intercepted, the skimmer showed an error message and redirected the customer to the real payment page. The use of the PayPal logo in this skimming attack is just a visual distraction to provide “confidence” to the buyer that the form is “real.” The attack does not require the merchant to have a PayPal account or exploits a new PayPal vulnerability.

Sansec PayPal skimmer example error message
Source: Sansec

“It is remarkable that so many different platforms are compromised in the same campaign. Typically, criminals exploit a flaw in a single platform. Attackers may have breached a shared component, eg software or a service that is used by all affected merchants. Another curious technique is that this skimmer uses programmatically generated exfiltration domains. It keeps a counter and uses base64 encoding to produce a new domain name.”

Sansec Statement

Skimming Attack Active Since August 2020

Sansec said the skimming attack has been active at least since August 2020. The cybersecurity company also said it involved a dozen stores, but it’s unclear from Sansec’s information how fast this issue is spreading and if other platforms could be vulnerable.

As a precaution, online merchants should follow their own checkout process looking for any problems. This is a good practice to do on a regular basis, but especially after adding, updating, or changing plugins or themes.

If an issue is found, online merchants with Shopify and BigCommerce should contact the platform’s customer service departments for help to remove this security threat.

For Zencart and WooCommerce, merchants may be able to get help from their hosting company if they support the installations of these open-source platforms. Otherwise, merchants may need to seek out help on user forums run by developers of the commerce systems or hire a third-party developer or cybersecurity specialist.

Connect With Us And Other Small Business Owners

Please head over to our Facebook Group for Small Business Sellers and interact with other small business owners.

Follow us on FacebookTwitter, and LinkedIn to stay up to date with relevant news and business insights for your online business.


Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *