14 DAY TRIAL // Payment information stealing campaign uses a new formjacking redirection method to compromise the checkout stage of high-profile online retail websites according to Symantec.
Formjacking is a type of malicious attack used by cybercriminals to siphon payment information form online shops' customers by injecting specially crafted JavaScript code into payment forms of e-commerce platforms they target.
Symantec's research team discovered a Parisian retail store that had its online shop website injected with a formjacking script which exfiltrates payment data to the google-analyitics.org domain controlled by the malicious script's authors.
"We observed popular websites from different countries—such as the U.S., Japan, Australia, and Germany—redirecting to this one Paris website," says Symantec. "This created an interesting redirection chain as customers of all these websites were being infected by formjacking at the same time."
Subsequently, Symantec detected multiple e-commerce platforms from high profile brands which had their checkout pages redirected to the infected Paris online retail store, with around 30 of them being compromised during this malicious campaign.
The attackers also use specially crafted code to detect and block analysis attempts
The bad actors behind this formjacking campaign also implemented a mechanism designed to block security researchers from analyzing their credit card stealing tools by looking for debugging tools such as Firebug,
According to the report, the attackers have been stealing payment information using this malicious campaign since at least November 25, and they prove that formjacking attacks can take a wide range of forms with new methods being used to take advantage from e-commerce users.
"In our scenario, the redirecting website and the compromised website in many cases come from different areas of the online shopping landscape, dealing in entirely different product spaces," added Symantec.
The names of the websites compromised haven't yet been made public given that the security firm is currently in the process of getting in touch with the online retail stores affected by this formjacking campaign.
