Online Retailer compromised by four JavaScript Credit Card sniffers

ASSOCIATED DOMAINS:

magento-security.org/js/pc-security.js – Credit card JavaScript Sniffer
bootstrap-js.com/js/bootstrap.min.js – Credit card JavaScript Sniffer
www.loversire.com/app/code/core/Mage/XmlConnect/etc/stat/statistics.php – Credit Card exfil site
google-analyitics.org/ga/ga.php?image_id=eyJmb3JtX2tleS – Credit Card exfil site
js-react.com/gate.php?token=KjsS29Msl&host= – Credit Card exfil site

 

IMAGES AND DETAILS:

Shown above: Network traffic associated with compromised site and the Magecart credit card theft groups

 

Shown above: Index page of compromised site containing base64 stringĀ  aHR0cDovL2dvb2dsZS1hbmFseWl0aWNzLm9yZy9nYS9nYS5waHA= to credit card sniffer site google-analyitics.org/ga/ga.php

 

Shown above: Index page of compromised site containing injected script to credit card sniffer site bootstrap-js.com/js/bootstrap.min.js

 

Shown above: JavaScript sniffer script used to exfil credit card information to js-react.com/gate.php?token=

 

Shown above: Injected script found on compromised site used to load credit card sniffer JavaScript

 

Shown above: Injected script found on compromised site used to steal credit card information

 

Shown above: An example of credit card data being transmitted to a MageCart theft group domain

 

MALICIOUS FILES ASSOCIATED WITH MAGECART THEFT GROUPS:

index-page.txt – Index Page from Compromised Site