Select Page

Researchers from Chinese cybersecurity firm Qihoo 360’s NetLab have revealed details of an ongoing credit card hacking campaign that is currently stealing payment card information of customers visiting more than 105 e-commerce websites.

While monitoring a malicious domain, www.magento-analytics[.]com, for over last seven months, researchers found that the attackers have been injecting malicious JS scripts hosted on this domain into hundreds of online shopping websites.

The JavaScript scripts in question include the digital credit card skimming code that when execute on a site, automatically steal payment card information, such as credit card owner name, credit card number, expiration time, CVV information, entered by its customers.

In an email Interview, NetLab researcher told The Hacker News that they don’t have enough data to determine how hackers infected affected websites on the first place or what vulnerabilities they exploited, but did confirm that all affected shopping sites are running over Magento e-commerce CMS software.

Further analysis revealed that the malicious script then send stolen payment card data to another file hosted on the magento-analytics[.]com server controlled by the attackers.

“Take one victim as an example,, when a user loads its homepage, the JS runs as well. If a user selects a product and goes to the ‘Payment Information’ to submit the credit card information, after the CVV data is entered, the credit card information will be uploaded,” researchers explain in a blog post published today.

The technique used by the group behind this campaign is not new and exactly same as what the infamous MageCart credit card hacking groups used in hundreds of their recent attacks including TicketmasterBritish Airways, and Newegg.

However, NetLab researchers have not explicitly linked this attack to any of the MageCart groups.

Also, don’t get confused with the domain name — www.magento-analytics[.]com.

Having Magento in the domain name doesn’t mean that the malicious domain is anyhow associated with the popular Magento ecommerce CMS platform; instead the attackers used this keyword to disguise their activities and confuse regular users.

images from Hacker News