People often make a great effort to protect their credit/debit card details against fraudulent transactions. This has been further helped by banks implementing increased security with the help of two-factor authentication( 2FA). However, there’s this one instance where even 2FA doesn’t save you.
Imagine someone replaces a legitimate payment page with a fraudulent one. Once you initiate a payment, you receive a confirmation code which you enter since it is actually you making the transaction. But in reality, the transaction was never made with the processor you meant it to be, instead, it was done on a cloned fake page set up by a scammer.
This very tactic known as web skimming has recently utilized by a threat group as discovered by Malwarebytes. Remember, in the usual scenario, cybercriminals use skimmers to steam card data from ATM and gas stations.
The group in question implemented the scheme with injecting a malicious ga.js file “into compromised online shops by inserting a one-line piece of code containing the remote script in Base64 encoded form” which was obtained from payment-mastercard[.]com/ga.js disguised as a Google Analytics library.
Posing as a payment page utilizing Comm Web‘s gateway service which is a product of the Commonwealth Bank in Australia, the form directly collects the information that the user enters.
The reason they specifically cloned Comm Web is that they wanted to target an Australian store based on PrestaShop CMS which had Commonwealth Bank as a payment option.
To make it appear even more legitimate and perhaps ensuring the information garnered is correct, data validation capabilities were also found in the fake form. Once the customer clicks on the pay button, the data is collected by the attackers with the user redirected this time to a legitimate payment page requesting the payment information again.
It is, however, to be noted that this represents an entirely new level of creativity exhibited by scammers in this incident. Before this, we surely did see attackers phishing web pages to collect payment information through different ways such as keylogging, replacing certain fields with fake ones in a form or sniffing entire forms but this is perhaps the first time that an entire payment page has been replaced.
The best way to guard yourself against such attempts is to carefully read the URL of the payment page and make sure it is a legitimate one. These are a few ones that are known to be fake ones and are to be avoided:
Furthermore, if you’re unsure of any new URL that you happen to find, it is better to verify its legitimacy by contacting a support team member of the particular site rather than regretting later.