Hackers are stealing credit cards from unwary customers by hijacking internet retailers and displaying sophisticated, realistic-looking bogus payment forms.

These payment forms are displayed as modal, HTML content that is overlaid on top of the main webpage. Moreover, it allows the user to interact with login forms or notification material without leaving the page.

When modals are active, the background content may be dimmed or blurred to draw attention to the modal content.

According to security service website research, MageCart skimmers are now hijacking legitimate online store checkout sites to display their bogus purchase forms as models to capture users’ credit cards.

These models stand out because they can seem even better than the original. In addition, with no visible evidence that they are not real.

Superior to the original

According to cybersecurity website research, a Parisian travel accessories business was infiltrated by the latest Kritec campaign.  

Kritec is a JavaScript credit card skimmer. Malwarebytes was first discovered in Magento stores in March 2022. This implies that it is the work of the same threat actor.

Malwarebytes claim, the skimmer that infected the page is rather clever, and its code is tightly disguised using base64 encoding.

Instead of displaying the payment form on the infected site’s checkout page, the malicious script displays a modal with the brand’s logo, the right language (French), and nice UI components.

Moreover, this bogus payment form is intended to capture clients’ credit card information and transmit it back to the hackers.

Initially, the modal displays a fake loader before redirecting the buyer to the actual payment URL.

However, the threat actors have already stolen all entered information. This includes the credit card number, expiration date, CVV number, and cardholder name, in the background.

In addition, the skimmer leaves a cookie on visitors who have been successfully targeted. This prevents the fraudulent modal from being loaded again on the same or another site. This is done to avoid gathering duplicate data and to reduce the operation’s risk.

The credit card skimmer script was disabled by Malwarebytes investigators to let the original payment form load. However, the comparison between the two renders the legitimate one visually defeated.

The payment page takes users to a third-party processor. They then submit their banking information before returning to the shop’s website.

A referral to an external site is a common step in online payments. However, it inspires less trust in the visitor than the modal form presented directly on the page.

To Sum up

Unfortunately, online security website has discovered that the use of modal forms is gaining popularity in cybercrime group.

A Dutch and a Finnish e-commerce site, are further examples of websites presenting fraudulent payment models on users. Both websites were with exquisite design that lets them pass as legitimate.

Multiple threat actors may be involved in those campaigns and are customizing skimmers accordingly.

Unlike many hacked stores, which had a generic skimmer, it appears the custom models were developed recently.

Online buyers should exercise extreme caution. They should opt for electronic payment methods or one-time private cards with charge restrictions that are ineffective in the hands of fraudsters.