New E-Commerce Skimmer Impersonates PayPal Form

Summary

A new e-commerce skimmer, discovered by a researcher who goes by the Twitter handle Affable Kraut, uses a new technique to steal customer payment card data. In these Magecart attacks, the threat actor steals the personal information entered into the checkout page to pre-fill a fraudulent PayPal order page. This malicious webpage also includes the customer’s order items and total payment due, increasing the appearance of legitimacy. If the customer provides their payment information, it is stolen by the threat actors (in a process where data is exfiltrated to apptegmaker[.]com, which is associated with tawtalk[.]com) and the customer is redirected to the legitimate checkout page.

Recommendations

The NJCCIC recommends e-commerce customers stay vigilant and look out for indications of suspicious webpages and payment processes. Customers may consider using credit over debit, as credit often provides better consumer fraud protection, and enable payment transaction notifications to alert of any unauthorized charges. If an unauthorized transaction occurs, notify the associated bank immediately, lock the payment card (where available), and request a new card. For additional information on this new technique, please review the Bleeping Computer article.