Fraudulent payment form<\/h3>\n
What we see here is the use of a ‘modal<\/a>‘ which is a web page element displayed in front of the current active page. The modal disables and grays out the background so that the user can focus on the presented element instead. This is an elegant way for website owners to keep their customers on the same web site and have them interact with another form.<\/p>\n The problem is that this modal is entirely fake and designed to steal credit card data. It may sound hard to believe given everything matches to the original brand and feel of the site. Before digging further into why it is fraudulent, we will take a look at the same online store when the skimmer has been disabled.<\/p>\n In order to view this legitimate sequence, we first had to block the skimmer when requesting the e-commerce page. In our case, we simply blocked the connection to the malicious domain where the skimmer is hosted. As a result, the website will display what the original payment form should be (prior to the compromise).<\/p>\n The actual payment flow for this merchant is to redirect users to a third-party processor hosted by Dalenys, now part of Payplug<\/a>, a French payment solutions company. So rather than display a modal, it loads the webpage for the payment processor to allow the user to enter their banking information. Once that is validated, it will take them back to the merchant page.<\/p>\n The malicious modal is built very cleanly and contains an animation that displays the store’s logo in the middle and then moves it back up. We have to give credit where credit is due: this is a very well done skimmer that is actually a smoother user experience than the store’s default. We should also note that the malware author is not only well versed in web design, they also use proper language (French) for each form field.<\/p>\n However, we noticed a small mistake in the hyperlink for Politique de confidentialité<\/em> (terms of use). That link redirects to the terms of use for Mercardo Pago<\/a>, a payment processor used in South America. It is likely the threat actor copied the data from a previous template and did not notice their mistake. This is just a detail, and does not affect the functionality of the skimmer at all.<\/p>\n We can try to look for this erroneous hyperlink within the skimmer source code in order to confirm that the modal was created by the threat actor. The skimmer is rather complex and heavily obfuscated but we can see that HTML content is generated dynamically and goes through a decodeURIComponent<\/em> routine.<\/p>\n Figure 4: Extracting code from the skimmer to reveal connection with the modal<\/em><\/p>\n If we step through the code until the modal is loaded, we can grabbing the Base64 value corresponding to the HTML content. One we have it, we can convert it to plain text and finally see the reference to mercadopago, that is proof that the skimmer is the one rendering this beautiful modal. In fact, we can see the whole thing is an iframe called v.ECPay:<\/p>\n We recreated the payment flow from the perspective of a customer shopping via that compromised store. We can see that upon selecting the credit card payment option, the malicious modal is loaded and will harvest their payment card details.<\/p>\n A fake error is then displayed briefly “votre paiment a été annulé” (your payment was cancelled) before the user is redirected to the real payment URL:<\/p>\n On the second attempt, the payment will go through and victims will be unaware of what just happened.<\/p>\n The skimmer will drop a cookie which will serve as an indication that the current session is now marked as completed. If the user was to go back and attempt the payment again, the malicious modal would no longer be displayed (instead the real payment method by the external processor Dalenys will be used).<\/p>\n We now believe this Kritec skimmer is part of the same compromises with injections into vulnerable websites where malicious code is placed within the Google Tag Manager script. It is possible multiple threat actors are involved in those campaigns and customizing skimmers accordingly.<\/p>\n While many hacked stores had a generic skimmer, it appears the custom modals were developed fairly recently, maybe a month or two ago. The threat actor is using different domains to host the skimmer but names them in a similar way: [name of store]-loader.js<\/strong>.<\/p>\n We crawled several thousand e-commerce sites and found more fraudulent modals, in different languages.<\/p>\n Discerning whether an online store is trustworthy has become very difficult and this case is a good example of a skimmer that would not raise any suspicion.<\/p>\n If you are a Malwarebytes customer, you will get a notification and block when attempting to make a purchase from a store that has been compromised by this skimmer.<\/p>\n Domain names<\/strong><\/p>\n IP addresses<\/strong><\/p>\n YARA rule<\/strong><\/p>\n Whether you are visiting an online store from home or while at work, web protection is a critical layer in your overall defense. Malwarebytes Premium for consumers<\/a> and Endpoint Protection for businesses<\/a> provide real-time protection against threats like Magecart.<\/p>\n TRY NOW<\/a><\/p>\n<\/p><\/div>\n https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"![\"\"](\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/04\/easset_upload_file6854_264365_e.png\")
Figure 1: Compromised store loads fake payment modal<\/em><\/p>\nActual (real) payment form<\/h3>\n
![\"\"](\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/04\/easset_upload_file73914_264365_e.png\")
Figure 2: Legitimate payment form when same store is not compromised<\/em><\/p>\nMalicious modal<\/h2>\n
![\"\"](\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/04\/easset_upload_file68786_264365_e.png\")
Figure 3: A closer look at the fake modal<\/em><\/p>\n![\"\"](\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/04\/easset_upload_file14011_264365_e.png\")
<\/p>\n![\"\"](\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/04\/easset_upload_file34067_264365_e.png\")
Figure 5: The iframe created by the skimmer to display the modal<\/em><\/p>\nFull payment flow<\/h2>\n
![\"\"](\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/04\/easset_upload_file67566_264365_e.gif\")
Figure 6: Payment process flow with the skimmer active<\/em><\/p>\n![\"\"](\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/04\/easset_upload_file37928_264365_e.png\")
Figure 7: Cookie dropped by skimmer once data has been stolen<\/em><\/p>\nOngoing, covert campaigns<\/h2>\n
![\"\"](\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/04\/easset_upload_file72784_264365_e.png\")
Figure 8: A Dutch e-commerce site with the fake modal<\/em><\/p>\n![\"\"](\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/04\/easset_upload_file18429_264365_e.png\")
Figure 9: A Finnish e-commerce site with the fake modal<\/em><\/p>\n![\"\"](\"https:\/\/www.malwarebytes.com\/blog\/threat-intelligence\/2023\/04\/easset_upload_file2247_264365_e.png\")
Figure 10: Skimmer being blocked by Malwarebytes<\/em><\/p>\nIndicators of Compromise<\/h2>\n
genlytec[.]us
shumtech[.]shop
zapolmob[.]sbs
daichetmob[.]sbs
interytec[.]shop
pyatiticdigt[.]shop
stacstocuh[.]quest<\/pre>\n195.242.110[.]172
195.242.110[.]83
195.242.111[.]146
45.88.3[.]201
45.88.3[.]63<\/pre>\nrule kritecloader
{
strings:
$string = \"'fetchModul'\"
$string2 = \"'setAttribu'\"
$string3 = \"'contentWin'\"
$string4 = \"'zIndex'\"
condition:
all of them
}<\/pre>\n
\n