Credit card stealer hides in CSS files of hacked online stores

Credit card stealer scripts are evolving and become increasingly harder to detect due to novel hiding tactics. The latest example is a web skimmer that uses CSS code to blend within the pages of a compromised store and to steal customers' personal and payment information.

By hiding their payment info stealer script within CSS code, this skimmer's creators successfully bypassed detection by automated security scanners and avoided raising any flags even when examined in manual security code audits.

This happened because scanners aren't commonly scanning CSS files for malicious code and anyone looking at the skimmer's trigger script reading a custom property (variable) from the CSS page wouldn't give it a second glance.

CSS (Cascading Style Sheets) files are the ones providing websites with the ability to add style (e.g., fonts, colors, and spacing) to Web documents using a collection of rules.

Magecart script links stored in CSS code

This credit card skimmer (also known as a Magecart script) was discovered by researchers at Dutch cyber-security company Sansec on Tuesday, on three different online stores.

The web skimmer was still active on at least one store as SanSec told BleepingComputer earlier today, but the company didn't share additional info due to the sensitive nature of the data.

Since it was spotted, the CSS-based web skimmer has been used by a Magecart group that has started to "experiment" with progressively more advanced techniques to inject their malicious scripts and exfiltrate customers' payment card info.

Magecart CSS code
Magecart CSS code (Sansec)

This Magecart script will only run when customers of compromised e-commerce sites start entering payment or personal information.

When the shoppers hit the checkout button on an order form, they are redirected to a new page that loads and parses the attackers' malicious CSS code.

A JavaScript parser/trigger script on the checkout page of the hacked online store will then load and execute the skimmer from a URL stored by the CSS Code in the --script variable that points to a Magecart script on the cloud-iq[.]net server controlled by the hackers.

This tactic allows the Magecart group to hide their credit card stealer in plain sight on any compromised e-commerce website since it won't be discovered through any conventional methods.

At most, it would raise alarm flags only by accident as it happened when Sansec first spotted it earlier this week.

Magecart trigger script
Magecart trigger script (Sansec)

Every bit of code can be used for malicious purposes

Online stores "need to monitor all of their data, not just executable assets," as Sansec told BleepingComputer.

"It is a huge headache for e-commerce managers. Today it is CSS, tomorrow it will be static data elsewhere."

Online shoppers have very few options to protect against Magecart attacks where JavaScript-based scripts known as credit card skimmers are injected within the pages of compromised e-commerce sites to exfiltrate their customers' payment and personal data.

"Consumers should pick a bank that enforces 2FA on each transaction," Sansec said. "In Europe, it is more and more common, but in the US not at all."

If you are in the US, you can either get temporary card numbers at http://privacy.com and similar platforms or use virtual cards for each transaction.

Sansec researchers have also recently discovered a web skimming malware capable of hiding as SVG social media buttons and an almost impossible to remove credit card stealing malware that bundles a persistent backdoor.

Related Articles:

Fraud network uses 4,700 fake shopping sites to steal credit cards

Over 4,000 Adobe Commerce, Magento shops hacked in CosmicSting attacks