Cybersecurity researchers recently uncovered a long-running web skimming operation that has targeted major global payment networks since early 2022. The campaign utilizes malicious JavaScript injected into e-commerce portals to stealthily harvest credit card data and personal information from unsuspecting customers during the checkout process.

A large-scale digital skimming campaign has been active for over two years, impacting clients of major payment providers including American Express, Mastercard, and UnionPay. This operation is linked to the Magecart category of cybercrime, where attackers compromise legitimate websites to record sensitive payment details through hidden malicious scripts. Security analysts identified the threat by tracing suspicious domains back to a hosting provider that has been attempting to evade international sanctions through rebranding and corporate restructuring.

The mechanics of these attacks involve a technique known as client-side skimming, where hackers inject malicious code into the underlying architecture of a website. Once a user enters their payment information on a compromised checkout page, the script captures the data in real-time before it is even processed by the merchant. This method allows criminals to bypass many traditional server-side security measures, as the theft occurs directly within the user's web browser.

Researchers traced the origin of this specific campaign to a domain used for hosting obfuscated JavaScript payloads. These files, often disguised with names like recorder.js to blend in with standard web analytics, are delivered to online shops to facilitate the theft. The investigation highlighted a connection to a sanctioned hosting entity that has recently changed its name and corporate registration in the Netherlands to maintain its infrastructure and continue supporting illicit activities.

To remain hidden from website owners, the malicious software includes specific evasion tactics designed to detect if a security professional or administrator is viewing the page. For example, the script scans the website code for elements associated with administrative toolbars. If it detects that a logged-in administrator is present, the skimming code remains dormant to avoid being flagged during routine site maintenance or security audits.

The broader threat landscape for these attacks is often referred to as Magecart, an umbrella term for various criminal groups that specialize in targeting e-commerce platforms. While these groups originally focused on sites using Magento software, they have since expanded their reach to include a wide variety of content management systems and payment gateways. This evolution demonstrates the increasing sophistication of digital theft operations and the ongoing risk to enterprise organizations and their customers worldwide.

Source: Long Running Web Skimming Campaign Steals Credit Cards From Checkout Pages