Fraudsters are using fake Google domains to target Magento customers, the Sucuri Blog reports. In a post to their website, they describe Magento users contacting them about McAfee Site Advisor sending them warnings. Unfortunately, it appears a credit card skimmer using JavaScript loaded from the malicious ‘google-analytîcs[.]com‘ web address is responsible.
The domain is a well known ruse by hackers who prey on its use of the well known Google Analytics domain and brand name to trick unsuspecting users. This tactic is well known, but effective.
“The input data capture is similar to other Magento credit card stealers we have posted about before,” the post said. “It uses the loaded JavaScript to capture any input data using the document.getElementsByTagName and input or stored element names for capturing drop down menu data.”
A Comprehensive Attack
Interestingly, the attack code will change its behavior based on if a user has DevTools open, and what kind.
For both Chrome and Firefox, the presence of open tools stops the attack. This is a highly sophisticated tactic that helps the attack go undetected by and remain under the radar. Moreover, the attack can use all of the most popular payment gateways. This includes solutions with integrated eCommerce fraud prevention tools like PayPal This allows it to cast a wide net and gives each successful infection the best chance of success.
In addition to the skimming, the malware executes a second attack. This attack sends users to a second fake domain ‘google[.]ssl[.]lnfo[.]cc:‘. This code collects information from Magento’s user admin configuration, which hackers can use to conduct subsequent attacks.
Source: https://blog.sucuri.net/2019/07/fake-google-domains-used-in-evasive-magento-skimmer.html