Online tuxedo retailer compromised by Magecart theft group

A script associated with the Magecart credit card theft group was found on the online tuxedo retailer www.tuxedosonline.com.  The script found within the compromised site’s shopping cart is used to load externally hosted JavaScript from encoderform.com/js/acp-magento.js?mage_v=1.9.2.2 which performs the credit card data theft.

Shown above: Injected script found on Tuxedosonline’s site index page and again on the shopping cart checkout page which loads a JavaScript from
encoderform.com/js/acp-magento.js?mage_v=1.9.2.2

The externally located script performs Magecart’s main data theft function and is obfuscated, with a larger portion of it being hex encoded.

Shown above: Obfuscated script “acp-magento.js” found on domain encoderform.com/js/

Decoding this script reveals the following:

Shown above: De-obfuscated script used to skim credit card information pointing to the domain www.msecurely.com. This form looks for specific input fields and captures the data, submitting it over HTTPS via a POST request to the URL www.msecurely.com/checkout/onepage/

 

Shown above: Credit card information being posted to www.msecurely.com/checkout/onepage/ over HTTPS

 

INDICATORS OF COMPROMISE:

encoderform.com – Domain hosted by credit card theft group
www.msecurely.com – POST /checkout/onepage/ – Domain hosted by credit card theft group

acp-magento.js – Obfuscated JavaScript used to skim credit card data
SHA-256: 3f2195f8b6fb68ca95164cc0a38d0062c0a527d855eaf035127a10bb0303eccb
VirusTotal Link