Researchers have been looking at an ongoing Magecart effort that uses authentic-looking fraudulent payment windows to steal personal data from unwary customers. The threat actor behind the effort hijacked the checkout page using actual logos from the hacked shop and altered a web element known as a modal, making the skimmer appear more authentic than the original payment page.
Magecart refers to a gang of cybercriminals who employ skimming tactics to steal consumer information and payment information from e-commerce websites. The term “Magecart” came from the group’s original focus on the Magento platform. According to Sansec statistics, the first Magecart-like assaults were discovered in 2010.
As an evasion method, the current incarnation of the campaign includes the injection of a skimmer called Kritec, which impersonates respectable third-party providers like Google Tag Manager.
The skimmer is both complicated and deeply disguised, and it is activated when a credit card is selected as a payment method on the hijacked website. Once the payment card information is obtained, the victim is shown a bogus error message about payment cancellation before being redirected to the actual payment page, and the payment is processed.
The sources for this piece include an article in TheHackerNews.