Malwarebytes Labs recently detected a Magecart skimmer that has a unique feature of recording the victim’s IP address and browser user agent, alongside sensitive data like email, phone number, and credit card information. Magecart attacks have been on the rise and have become a prevalent threat for businesses that handle online financial transactions.
The attackers are attempting to create a unique profile of the victim similar to the technique used in traditional malware campaigns, with the only difference being that the Magecart skimmer is loaded via iframes only when the checkout page is accessed.
The researchers found that the skimming code queries the legitimate Cloudflare endpoint API to extract the user’s current IP address and browser user-agent, after already obtaining the victim’s credit card data. They believe that the hackers collect this information for quality checks and monitoring purposes to detect bots and security researchers.
While the behavior itself may not be necessarily harmful, it highlights the advanced capabilities of modern skimming techniques, which can make it difficult for merchants to detect and prevent attacks.
The bottom line is that businesses using eCommerce platforms like Magento and WordPress/WooCommerce must be aware of credit card skimmers and implement robust security defenses to prevent such attacks. Malwarebytes Labs has provided IOCs to help analysts track the skimmer and take appropriate measures. With the attackers having access to a wide range of personal data and advanced monitoring tools, it is essential for merchants to implement proactive security measures to avoid data breaches and loss of customer trust.
