Magecart malware: Upgraded to bypass iFrame to take more payment details

May 6, 2020
magecart malware carding fraud web skimming fraud prevention fraud protection fraud detection antimalware

A fortress of money has been breached?

Cybercrime Solutions researcher at PerimeterX reported that the stronghold fortress of iFrame might have been breached. iFrame, a security application that is placed in most online payment services and is compliant to the Payment Card Industry Security Standards Council for consumer protection in making payment online. Businesses that offer online payment using a debit/credit card should pass and fully compliant with the council standards. A renowned online payment we know is PayPal, and its subsidiary Braintree, Worldpay, and Stripe are examples of these companies that use the iFrame fraud prevention protection.


The breaching scenario

In a typical and secured scenario, a business that accepts card payment online must integrate the iFrame script on their website. Once the user is on the checkout page to place his card information, this will automatically run the iFrame script to secure that the details of the card will not be compromised. The application will highly impose a strict data access restriction as part of the Same Origin Policy (SOP) security measure of iFrame. This will ensure that information such as card number, CVV, and expiration date of the card for payment will not be leaked once the user is on the payment details page. In layman terms, the section on the website to type in the card details are locked by iFrame and hosted directly by the payment services company awaiting to be processed.


Recent discovery

However, with the recent discovery of the PerimeterX team, they claimed that this stronghold of iFrame had been breached. One Magecart (hackers that target the online payment system) group was able to infiltrate the high-walled fortress, iFrame. Proof of the claim was the reported attack to Braintree, wherein the script named Saturn returned with successful results. The infiltration sequence was initiated by compromising the website of the online retailers and performed multiple brute force attacks to inject the attacker’s script onto their system.  The hacking script will run once the victim clicks on the payment details page. The payment details form that will load is from the attacker-controlled domain. Thus, card information has been compromised.

The issue that rose from this attack was that the payment made was processed successfully. However, the card information is skimmed already by the attacker. This behavior was implausible before wherein fraud detection programs are triggered because of payment processing failure.  With this successful payment processing, the researcher says that the breach was legit. However, payment services – Paypal, confirmed that they are not responsible for the web application security of their retailers. Their concern is that the information does not leak ‘from’ iFrame. They also added that they only processed payment that is initiated from a legitimate transaction once information matches the true identity of the cardholder in the system. Security breached in between cannot be tagged on them.


Tips on mitigation

With this recent stealth attack discovery, website owners that use online payment should be more vigilant for this surreptitious attack. They should do routinely check on their website and but not limited to reloading a clean version to ensure infection be mitigated as advised by may system administrators.

About the author

Leave a Reply