Fraudsters are using fake Google domains to target Magento customers, the Sucuri Blog reports. In a post to their website, they describe Magento users contacting them about McAfee Site Advisor sending them warnings. Unfortunately, it appears a credit card skimmer using JavaScript loaded from the malicious google-analytîcs[.]com web address is responsible.

The domain is a well known ruse by hackers who prey on its use of the well known Google Analytics domain and brand name to trick unsuspecting users. This tactic is well known, but effective.

“The input data capture is similar to other Magento credit card stealers we have posted about before,” the post said. “It uses the loaded JavaScript to capture any input data using the document.getElementsByTagName and input or stored element names for capturing drop down menu data.”

A Comprehensive Attack

Interestingly, the attack code will change its behavior based on if a user has DevTools open, and what kind.

For both Chrome and Firefox, the presence of open tools stops the attack. This is a highly sophisticated tactic that helps the attack go undetected by and remain under the radar. Moreover, the attack can use all of the most popular payment gateways. This includes solutions with integrated eCommerce fraud prevention tools like PayPal This allows it to cast a wide net and gives each successful infection the best chance of success.

In addition to the skimming, the malware executes a second attack. This attack sends users to a second fake domain google[.]ssl[.]lnfo[.]cc:‘. This code collects information from Magento’s user admin configuration, which hackers can use to conduct subsequent attacks.


Share This Article:
Tags: ,

Related Article

Our Sponsors

Get the 2020 Chargeback Representment Guide

chargeback representment guide

Get the 2020 Fraud Trends Report

fraud trends report

Join our Community

join the community

Our Sponsors

Stay in Touch