A creative technique involving so-called swap files is being used to deploy persistent credit card skimmers on compromised Magento ecommerce sites, a new report from cybersecurity researchers Sucuri has warned.
“When files are edited directly via SSH the server will create a temporary ‘swap’ version in case the editor crashes, which prevents the entire contents from being lost,” the researchers explained.
“It became evident that the attackers were leveraging a swap file to keep the malware present on the server and evade normal methods of detection.”
Swap files and fake Amazon domains
In order to create the temporary swap version, the attacker first needs access to the Magento site. For this particular instance, it wasn’t known how the threat actors gained access, but it’s safe to assume it was either done via phishing, or through brute-force or credential stuffing attacks.
Furthermore, using swap files was just one of many ways the attackers ensured persistence on the site, the researchers further explained. The data stolen with the skimmer was being sent to a domain named “amazon-analytic[.]com,” registered in February 2024.
“Note the use of the brand name; this tactic of leveraging popular products and services in domain names is often used by bad actors in an attempt to evade detection,” the researchers explained. They added that the same domain was seen in other credit card theft attacks, as well.
As a result, the skimmer survived “multiple cleanup attempts,” and was exfiltrating sensitive data such as people’s names, addresses, credit card numbers, and other data needed to use the cards elsewhere.
The name of the compromised website is unknown. We also don’t know how long it was compromised, or how many people have had their data stolen this way. We also don’t know if the data was already used anywhere, either to make fraudulent purchases, or sold on the dark web. Some criminals use stolen credit card data to purchase malicious ad campaigns, which are often seen on Google, Facebook, LinkedIn, and other popular sites.
Via The Hacker News