For the past few months, Australian bushfires have been spreading and damaging not only natural resources but also the lives of humans and animals. In light of these unfortunate events, organizations have set up donation sites to help fight the bushfires. However, an unnamed website fell victim to a Magecart script, compromising credit card details.
Magecart is a type of scheme that is largely adopted by numerous groups. These attackers make websites and e-commerce platforms vulnerable by injecting scripts or programs to mine personal and credit card information.
According to Threat Post, a Magecart script was found on an unnamed website. The script was filed under ATMZOW, a skimming software, in attempts to disguise the attack as part of the code. Upon placing the attack, ATMZOW reportedly mined the payment and credit card information of donors.
In a statement to Threat Post, security researcher and director of the threat intelligence team at Malwarebytes, Jerome Segura, said, “The compromised site is running Magento, by far the most targeted CMS when it comes to skimming, and was outdated, which is likely how the attackers were able to inject it with malware.”
Segura also states that the script was programmed to have anti-debugging capabilities as well as obfuscation properties.
Upon discovering the malware, Segura and his team reached out to the website. The code was also removed immediately.
Based on the report of CISO Mag, compromised information obtained from donors were sent to another website called vamberlo.com.
While the attackers did not particularly target the unnamed donation site, Segura told Threatpost that “The same ATMZOW script had already been injected into dozens of other websites before this one and using the same exfiltration domain as well.”
The Malwarebytes team immediately shut down vamberlo.com, notes CISO Mag. However, the same software was found installed in 39 other sites.