"Silent Push said it discovered the campaign after analyzing a suspicious domain linked to a now-sanctioned bulletproof hosting provider Stark Industries (and its parent company PQ.Hosting), which has since rebranded to THE[.]Hosting, under the control of the Dutch entity WorkTitans B.V., is a sanctions evasion measure. The domain in question, cdn-cookie[.]com, has been found to host highly obfuscated JavaScript payloads (e.g., "recorder.js" or "tab-gtm.js") that are loaded by web shops to facilitate credit card skimming."
"The skimmer comes with features to evade detection by site administrators. Specifically, it checks the Document Object Model (DOM) tree for an element named " wpadminbar," a reference to a toolbar that appears in WordPress websites when logged-in administrators or users with appropriate permissions are viewing the site. In the event the "wpadminbar" element is present, the skimmer initiates a self-destruct sequence and removes its"
A major web skimming campaign has been active since January 2022, targeting payment networks including American Express, Diners Club, Discover, JCB, Mastercard, and UnionPay. Enterprise organizations that use these payment providers face the highest risk of impact. The campaign injects highly obfuscated malicious JavaScript into checkout pages to stealthily harvest credit card and personal information during payments. The operation uses the domain cdn-cookie[.]com to host payloads such as recorder.js and tab-gtm.js, and is linked to a now-sanctioned bulletproof hosting provider that rebranded and operates under a Dutch entity as a sanctions-evasion measure. The skimmer detects WordPress administrator toolbars (wpadminbar) and self-destructs to avoid detection.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]