Fake Google Domains Used in Credit Card Skimming Campaign
CYBER NEWS

Fake Google Domains Used in Credit Card Skimming Campaign

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

Security researchers came across a malicious campaign that is using quite convincing, fake Google domains to trick website visitors into trusting the pages to perform online transactions.

More specifically, the campaign was reported by Sucuri researchers who were contacted by a Magento website owner. The website owner “had been blacklisted and was experiencing McAfee SiteAdvisor “Dangerous Site” warnings”.

Sucuri’s investigation “revealed that the site had been infected with a credit card skimmer loading JavaScript from the malicious internationalized domain google-analytîcs[.]com (or xn--google-analytcs-xpb[.]com in ASCII).




How did the infection of the domain take place?

Hackers “purposely selected the domain name with the intention of deceiving unsuspecting victims”. The trick is that online users see a reputable name such as Google and assume they are safe to proceed, when in fact the truth is that they are about to load a malicious domain.

This tricky method is also common in phishing attacks where it is deployed to trick victims into thinking a phishing page is actually legitimate, the researchers explain.

Related:
The JS scripts include digital credit card skimming code which automatically harvests credit card data such as holder?s name, card number, CVV digits.
Beware: Malicious JS Scripts Steal Credit Card Data from Websites

The investigation also reveals that the input data capture is similar to other Magento credit card skimmers. In short, the mechanism uses the loaded JavaScript to capture any input data via the document.getElementsByTagName and input, or via stored element names for capturing drop down menu data.

One of the interesting parts of this campaign is that the code is designed to change tactics depending on the use of developer tools in Chrome or Firefox browsers. If developer tools are in place, the skimmer will not attempt to grab any information.

The skimmer supports many payment gateways, and in case the above mentioned condition is met, the stolen information is sent to a remote server, disguised as another google domain – google[.]ssl[.]lnfo[.]cc.

To protect your ecommerce website, the expert advice for Magento site owners is to install the latest security patches as soon as they become available. If you are unable to update your site, you can leverage a web application firewall to virtually patch any vulnerabilities, Sucure adds.

Avatar

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...