Credit Card Skimmer Hidden in Fake Facebook Tracker

A new credit card skimmer has been discovered by cybersecurity researchers, concealed within a counterfeit Meta Pixel tracker script. The skimmer is designed to evade detection and injects malware into websites through tools that allow for custom code, such as certain WordPress plugins and sections of the Magento admin panel.

According to the report, the malware is injected into websites through tools that allow for custom code, such as WordPress plugins like Simple Custom CSS and JS or the “Miscellaneous Scripts” section of the Magento admin panel. This allows bad actors to easily pretend to be benign by leveraging naming conventions that match popular scripts like Google Analytics or libraries like JQuery.

The fake Meta Pixel tracker script appears similar to its legitimate counterpart, but contains JavaScript code that substitutes references to the domain “connect.facebook[.]net” with “b-connected[.]com.” While the former is a genuine domain linked to the Pixel tracking functionality, the replacement domain is used to load an additional malicious script (“fbevents.js”) that monitors if a victim is on a checkout page, and if so, serves a fraudulent overlay to grab their credit card details.

Interestingly, “b-connected[.]com” is a legitimate e-commerce website that has been compromised to host the skimmer code. Information entered into the fake form is then exfiltrated to another compromised site (“www.donjuguetes[.]es”).

To mitigate such risks, it is recommended to keep websites up-to-date, periodically review admin accounts to determine their validity, and update passwords frequently. Threat actors often leverage weak passwords and flaws in WordPress plugins to gain elevated access to a target site and add rogue admin users, which are then used to perform various malicious activities.

Since credit card stealers often wait for keywords such as ‘checkout’ or ‘onepage,’ they may not become visible until the checkout page has loaded, evading public scanners. The only way to identify the malware is to check the page source or watch network traffic, as these scripts run silently in the background.

Sites that built with WordPress and Magento are the target of another malware called Magento Shoplift. This attack chain involves injecting an obfuscated JavaScript snippet into a legitimate JavaScript file that loads a second script from jqueurystatics[.]com via WebSocket Secure (WSS), designed to facilitate credit card skimming and data theft while masquerading as a Google Analytics script.

With WordPress becoming a significant player in e-commerce, attackers are modifying their MageCart e-commerce malware to target a wider range of CMS platforms, making it crucial for website owners to remain vigilant against such threats.

To prevent falling victim to such attacks, website owners should regularly update their website’s software and plugins, use strong and unique passwords for admin accounts, and implement security measures like web application firewalls (WAFs) to detect and block malicious traffic. Additionally, educating users about the risks of phishing attacks and encouraging them to be cautious when entering sensitive information online can help mitigate the threat.