Cybercriminals have devised a card-skimming scheme that involves creating a phishing page that impersonates a retailer's third-party payment service platform (PSP).
Certain e-commerce websites outsource their financial transactions by redirecting customers to a secure page operated by PSP companies. But in this scam, discovered by researchers at Malwarebytes, the malicious actors swap out the genuine PSP payment processing page with a fraudulent one that asks for customers' personal and financial data. These details will then be skimmed and exfiltrated to an attacker-controlled server.
The hybrid skimmer-phishing page appears to be a copy of a legit CommWeb payment processing page from CommonwealthBank in Australia. In a company blog post, Malwarebytes Director of Threat Intelligence Jerome Segura noted that the page was designed specifically crafted for an Australian store that runs the PrestaShop Content Management System (CMS) and uses the Commonwealth Bank platform to accept payments.
"Your details will be sent to and processed by The Commonwealth Bank of Australia and will not be disclosed to the merchant," the page reads, according to Malwarebytes.
Notably, the phishing page even checks to make sure all of the data fields are entered with valid information, and alerts users if this is not the case. After a victim's data is entered and exfiltrated, he or she is redirected to the PSP and views a legit payment site for Commonwealth Bank, which displays the correct amount purchased. "This is done by creating a unique session ID and reading browser cookies," Segura explains in the blog post.
"By blending phishing and skimming together, threat actors developed a devious scheme, as unaware shoppers will leak their credentials to the fraudsters without thinking twice," Segura states.
The scam would appear to the brainchild of a cybercriminal group that's known to use phishing templates and web skimmers, including a skimmer called ga.js that's loaded as a fake Google Analytics library. Malwarebytes researchers recently found a newly registered malicious domain, "payment-mastercard[.]com," that contained a skimmer like this one, as well as the more unique one that imitates the PSP.
"Externalizing payments shifts the burden and risk to the payment company such that even if a merchant site were hacked, online shoppers would be redirected to a different site (i.e. Paypal, MasterCard, Visa gateways) where they could enter their payment details securely," Segura concludes. "Unfortunately, fraudsters are becoming incredibly creative in order to defeat those security defenses. By combining phishing-like techniques and inserting themselves in the middle, they can fool everyone."