Ecommerce sites targeted by Magento payment system hack

News
By
published

Hackers seen using swap files to persist on an ecommerce website

Credit cards payment being made through phone
(Image credit: Pexels / Anete Lusina)

A creative technique involving so-called swap files is being used to deploy persistent credit card skimmers on compromised Magento ecommerce sites, a new report from cybersecurity researchers Sucuri has warned.

"When files are edited directly via SSH the server will create a temporary 'swap' version in case the editor crashes, which prevents the entire contents from being lost," the researchers explained. 

"It became evident that the attackers were leveraging a swap file to keep the malware present on the server and evade normal methods of detection."

Swap files and fake Amazon domains

In order to create the temporary swap version, the attacker first needs access to the Magento site. For this particular instance, it wasn’t known how the threat actors gained access, but it’s safe to assume it was either done via phishing, or through brute-force or credential stuffing attacks.

Furthermore, using swap files was just one of many ways the attackers ensured persistence on the site, the researchers further explained. The data stolen with the skimmer was being sent to a domain named “amazon-analytic[.]com,” registered in February 2024.

"Note the use of the brand name; this tactic of leveraging popular products and services in domain names is often used by bad actors in an attempt to evade detection," the researchers explained. They added that the same domain was seen in other credit card theft attacks, as well.

As a result, the skimmer survived “multiple cleanup attempts,” and was exfiltrating sensitive data such as people’s names, addresses, credit card numbers, and other data needed to use the cards elsewhere.

The name of the compromised website is unknown. We also don’t know how long it was compromised, or how many people have had their data stolen this way. We also don’t know if the data was already used anywhere, either to make fraudulent purchases, or sold on the dark web. Some criminals use stolen credit card data to purchase malicious ad campaigns, which are often seen on Google, Facebook, LinkedIn, and other popular sites.

Via The Hacker News

More from TechRadar Pro

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A person holding a credit card in one hand while typing on a laptop keyboard with the other.
WordPress users targeted by devious new credit card skimmer malware
A person holding a credit card in one hand while typing on a laptop keyboard with the other.
Google system abused by hackers to hijack ecommerce stores
Casio logo
Casio’s online store hit by bogus credit card stealing checkout form
Trojan
Hackers hide malware into website images to go unnoticed
A person holding a credit card in one hand while typing on a laptop keyboard with the other.
European Space Agency hack sees official store hijacked to steal customer details
Someone checking their credit card details online.
Hackers use CAPTCHA scam in PDF files on Webflow CDN to get past security systems
Latest in Security
A graphic showing fleet tracking locations over a city.
Lost & Found tracking site hit by major data breach - over 800,000 could be affected
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Web DDoS attacks see major surge as AI allows more powerful attacks
Polish space agency says it was hit by a cyberattack
Illustration of a hooked email hovering over a mobile phone
AWS misconfigurations reportedly used to launch phishing attacks
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
Latest in News
Google Gemini iPhone Lock Screen
You can now access Gemini from your iPhone's lock screen
Michelle, Keats, and Doctor Amherst looking unimpressed and worried in The Electric State
Netflix drops trailer for The Electric State, and I'm getting serious District 9 vibes
YouTube TV
YouTube TV might be planning a big Netflix update that puts the best streaming services first
Google Pixel 9 Pro
Here are the 7 best Pixel 9 and Pixel Watch 3 features landing in March’s Pixel Feature Drop
Bang & Olufsen Beogram 4000C Saint Laurent Rive Droite Edition
Bang & Olufsen's latest reworked turntable is a masterpiece of retro revival, in a breathtaking wooden presentation box
Apple Watch Series 10
Apple unveils new Apple Watch bands – here's what's in the Spring 2025 collection
More about security
A graphic showing fleet tracking locations over a city.

Lost & Found tracking site hit by major data breach - over 800,000 could be affected
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.

Microsoft Teams and other Windows tools hijacked to hack corporate networks
Circular Ring 2

The Circular Ring 2 solves a crucial smart ring problem, and it's available to pre-order now
See more latest
Most Popular
Circular Ring 2
The Circular Ring 2 solves a crucial smart ring problem, and it's available to pre-order now
HTC Viverse
The company formerly known as HTC is doubling down on immersive worlds, AI, spatial computing and ... 6G?
A business woman looking at AI on a transparent screen
Businesses are facing an "AI Divide" - which could be the difference between success and failure
Google Gemini iPhone Lock Screen
You can now access Gemini from your iPhone's lock screen
Apple Vision Pro with Dassault Systèmes 3DEXPERIENCE platform
Dassault Systèmes teams up with Apple to use Vision Pro headsets to bring spatial CAD to life
Samsung 18.1-inch foldable OLED monitor
Samsung has launched a flexible portable monitor complete with a briefcase, one that seems to come straight from a James Bond movie
GenMachine Zhi mini pc
This is the smallest AMD PC I've ever seen: mysterious manufacturer uses Ryzen 3 APU with surprising results
Beelink ME Mini
One of our favorite mini PC vendors has launched a NAS that looks a bit like Apple's PowerMac G4 Cube PC - but way smaller
Michelle, Keats, and Doctor Amherst looking unimpressed and worried in The Electric State
Netflix drops trailer for The Electric State, and I'm getting serious District 9 vibes
YouTube TV
YouTube TV might be planning a big Netflix update that puts the best streaming services first