Credit card skimming off e-commerce’s sites is so prevalent that two groups of the same cyber gang encountered each other in the same operation, however one has come out worse for wear.
The two groups encountered each other on the Umbro Brasil website, a popular sportswear brand and site where customers can purchases sporting gear. Both groups hacked the site and injected their own credit card skimming code into it.
However, in a sign of just how ruthless cybercriminals can be, one group’s skimming code is designed to sabotage the code belonging to any competitors.
Both groups are using MageCart affiliated web-skimming code and tactics, leading researchers to believe that they are part of the same gang.
Everything one group of hackers did in this attack looks like a normal day out for the threat actors, but Malwarebytes researcher Willem de Groot identified a cheeky twist in the second attackers code.
Read More: Magecart’s 7 Groups: Hackers Dropping Counter-Intelligence Code in JavaScript Skimmers
Essentially the second group’s code was designed to detect if another skimmer was operating on the website. If it successfully finds another active skimmer it starts to intercept the card details been captured by its competitor in order to change the last digit of each credit card number.
This act serves two functions, firstly the more sophisticate group has tainted the credit details of its rival, while also ensuring that what they stole is the only valid version of the credit card details.
Content from our partners
Secondly, because these card details are no longer legitimate their sale on the blackmarket will result in brand damage for the group trying to sell them.
Malwarebytes Lsbs researcher Jérôme Segura commented in a blog post that: “By tampering with the data, the second skimmer can send an invalid but almost correct credit card number to the competing skimmer. Because only a small part of it was changed, it will most likely pass validation tests and go on sale on black markets. Buyers will eventually realize their purchased credit cards are not working and will not trust that seller again.”
Magecart Skimmer
The original Magecart skimmer was comprised of JavaScript embedded into e-commerce pages. Whenever card data was entered into a form, the skimmer copied the form and sent the stolen card data to a drop server.
RiskIQ and industry risk intelligence experts Flashpoint commented in a report on the group that: “Though it has evolved over the years, tailored by other groups to better fit their needs, the basic elements of the skimmer are still in use.”
In the Umbro Brasil attack the first hacker’s skimmer had no obfuscated in any meaningful way and it withdrew the stolen data in a standard JavaScript Object Notation (JSON) output.
Then a second skimmer was detected on the website that was loaded from g-statistic[.]com, this skimmer however was very much obfuscated.
“The following code snippet shows how certain domain names trigger this mechanism. Here we recognize bootstrap-js[.]com, which is the first skimmer. Then, a random integer ranging from 0 to 9 is generated for later use. Finally, the credit card number is stripped of its last digit and the previously generated random number is used,” notes Jérôme Segura.
Image Source: Malwarebytes. Code to conditionally swap the last digit of the credit card (decoding courtesy of Willem de Groot)
The fact that two skimmers were active on the site and that one was sophisticated enough to mess with its competitor goes to show how serious and prevalent the issue of online card skimming is.
With the busy online shopping events of black Friday and cyber Monday just days away IT departments need to be extra vigilant for any unusual activity on their websites. While consumers need to be in a position to react quickly when, not if, their credit cards become compromised due to an online skimming campaign.
