A website set-up to accept donations for victims of the devastating Australian bushfires has become a victim itself — of digital skimming code designed to harvest card details.
Security researchers at Malwarebytes took to Twitter to reveal the problems that hit the unnamed donations site, which was raising money for those affected by fires in Lake Conjola that have destroyed scores of homes.
In such Magecart-style attacks, hackers typically inject malicious JavaScript into payment pages to harvest card and personal data as it is entered in by shoppers, or in this case, donators to a worthy cause. It is then exfiltrated to an external domain under the attackers’ control.
It’s a tried-and-tested method for data theft that lands the attackers with a complete set of information for each victim, worth more on the dark web than individual components.
In this incident, the malicious script in question was identified as “ATMZOW” and the known bad domain it exfiltrated data to was spotted as vamberlo[.]com.
Replying to the post on Twitter, Troy Mursch of security firm Bad Packets claimed that the same malicious script had been identified targeting an additional 39 separate websites.
Deepak Patel, security evangelist at PerimeterX, argued that Magecart attackers have hit new lows with this latest raid.
“Given the lack of visibility into such client-side attacks, the website owners often find out about the data breach days or weeks after the code injection. This extended time allows skimmers to monetize the stolen cards to the fullest extent,” he explained.
“Any site that processes user PII and accepts payments should take steps to shore up their application security by tracking and monitoring first- and third-party code execution on their sites in real time.”
RiskIQ last year claimed to have identified over two million Magecart detections in the wild — a sign of its growing popularity among black hat data thieves.