Bleeping Computer reports that cybercriminals have upgraded their credit card skimming scripts to use an iframe-based phishing system designed to phish for credit/debit card info from Magento-powered store customers on checkout. The criminals injected their credit card stealer scripts within every page of the hacked websites and configured it to pop-up as a phishing form asking the buyers to provide the info themselves.
Colin Bastable, CEO at Lucy Security:
“My first reaction is that this is a very elegant solution that shows how organized crime is totally committed to stealing your money, your credit card info and your PII. These are smart and dedicated people who run their crime rings professionally; they have QA, their coders are talented, and their market is without limit. This kind of attack is perfectly positioned and timed to exploit consumer behavior: the buying decision is made, the consumer is on the home run and the fear of making a bad buying decision is replaced by the rush of spending money.
It is easier to play offense than defense. Consumers should understand that “they”, as in the banks, standards bodies, governments, retailers, website designers, payment processors etc., are not necessarily smarter or better motivated than the bad guys, and dumb persistence can overcome the best and brightest of plans.
My advice? Don’t store credit cards online. Read the whole form. Does it make sense? Check your bank and card statements daily. The banks and card companies will refund your loss, but they will pass the costs onto your fellow consumers. The proceeds will be laundered and used to fund more crime.”