A creative technique involving so-called swap files is being used to deploy persistent credit card skimmers on compromised Magento e-commerce sites, warns a new report from cybersecurity researchers Sucuri.
“When editing files directly over SSH, the server creates a temporary ‘swap’ version in case the editor crashes, preventing the entire content from being lost,” the researchers explain.
“It became clear that the attackers were using a swap file to keep the malware on the server and evade normal detection methods.”
Exchange files and fake Amazon domains
In order to create the temporary swap version, the attacker first needs access to the Magento site. In this particular case, it was not known how the threat actors gained access, but it is safe to assume that it was done via phishing or via brute-force or credential stuffing attacks.
Furthermore, the use of swap files was just one of many ways the attackers ensured the site remained up and running, the researchers further explained. The data stolen using the skimmer was sent to a domain named “amazon-analytic(.)com,” registered in February 2024.
“Note the use of brand names; this tactic of using popular products and services in domain names is often used by malicious actors in an attempt to evade detection,” the researchers explained, adding that the same domain has been seen in other credit card theft attacks.
As a result, the skimmer survived “multiple cleanup attempts” and was exfiltrating sensitive data such as people’s names, addresses, credit card numbers and other information needed to use the cards elsewhere.
The name of the compromised website is unknown. We also don’t know how long the website has been compromised, or how many people have had their data stolen this way. We also don’t know if the data has already been used somewhere, to make fraudulent purchases or to sell it on the dark web. Some criminals use stolen credit card data to buy malicious ad campaigns, which often appear on Google, Facebook, LinkedIn, and other popular sites.
Through The Hacker News