Be Extra Careful Shopping Online This Holiday Season - Criminals are Using Fake PayPal Pop-Ups on Hacked Retail Sites

Threatpost reported on December 1, 2020, that Magecart hackers are using a new credit card skimming technique to fake PayPal pop-ups on retail sites. If you visit one of those sites, you could be a victim of identity theft or fraud.

What is Credit Card Skimming

Hackers and thieves use various credit card skimming techniques to steal credit card numbers, pins, and other information from retail stores, online outlets, and even gas stations. Sometimes they use small pieces of hardware attached to gas pumps and ATMs that steal your data as you swipe your card. They often install small cameras to spy on you as you enter your PIN also. 

In other cases, such as attacks on retail stores like Home Depot and Target, the malware was installed on card machines that stole credit card data as patrons used their cards to pay for their purchases. 

The latest technique that Magecart (a notorious hacker gang) is employing uses postMessage to mimic a PayPal payment pop-up that steals payment details as customers pay for things online. 

What Happened

A security researcher named Affable Kraut first discovered the technique and noticed that postMessage was used to display an authentic-looking PayPal iframe during the checkout process. He posted about it on Twitter, and BleepingComputer distributed his research on the matter.

Once customers use the fake PayPal login, their credentials are sent back to the hacker’s computer and saved. Now, that person’s account can be taken over by the culprit easily. 

Typically, hackers don’t take the time to mimic legitimate pages that would fool everyone, but this particular pop-up looks very convincing. The hackers spoofed this iframe so successfully because of a script called “window.postMessage,” which actually displays an iframe using some of the elements of the legitimate page it’s spoofing. 

In his research, Affable Kraut mentioned that the hackers used malicious code hidden inside an image stored on the server of the hacked online storefront. Unlike less sophisticated methods, postMessage has some unique features. To make the fake form appear legitimate, it borrows details from the person’s order and pre-fills the fake PayPal payment form, making customers trust its validity. Affable Kraut tweeted, “When the victim sees this page, it is now partially filled out, which definitely increases the odds that it will capture their full payment data.”

According to Threatpost, “Once the victim enters and submits payment info, the skimmer exfiltrates the data to apptegmaker.com, a domain registered in October 2020 and connected to tawktalk.com. The latter was seen used in previous Magecart group attacks. The skimmer then clicks the order button behind the malicious iframe and sends the victim back to the legitimate checkout page to complete the transaction.”

A couple of months ago, Magecart attacked more than 2,000 e-commerce websites with another credit card skimming campaign. With the holiday season heating up, customers need to be more on alert than ever before.

How to Stay Safe This Holiday Season

Although it might seem safe to say that larger companies will be better secured and safer to purchase from this holiday season, that may not be true. Hackers can get to anyone; therefore, you must be your own advocate for safety and take as much precaution as possible when making purchases online. Some tips to stay safe are:

• If you can, do not enter credit card or other payment details online. Instead, use a digital wallet such as Google Pay, PayPal, Amazon Payment, or ApplePay. These services store your payment information, so you never have to enter sensitive data on a retail website.
• Whenever you can, purchase using your mobile device with multi-factor authentication methods (FaceID, fingerprint, or some other biometric authentication). 
• Always use credit cards, not debit cards. If thieves do get ahold of your card or credentials, you do not want them to drain your bank account.
• Set aside one specific card for online purchases and check your monthly statements carefully, looking for anything suspicious. 
• Keep all your devices updated with the latest security patches, especially your internet browser. Many of these malicious scripts may be caught by a secure browser and warn you that it’s not safe.
• Install antivirus/anti-malware software and run deep scans often.
• Never reuse passwords on multiple online accounts.
• When using gas pumps or ATMs, look for loose parts or anything suspicious. 
• Use common sense when buying online. Never buy from a merchant without a secure connection (HTTPS).

What to Do if You Are a Victim?

If you are a victim of credit card skimming, follow these tips below:

• Cancel your credit card immediately and alert the fraud department of your bank.
• Get copies of your credit reports to watch for identity theft or anything unusual.
• Consider credit monitoring to keep an eye on things.
• File a complaint with the FTC.