“ATMZOW” credit card skimmer used on a legitimate Australia’s bushfire donation site vamberlo.com
The world is currently captivated by unfortunate events happening in Australia since September 2019 – bushfires are engulfing natural habitat as well as all the creatures living there.[1] The disaster is so immense that local firefighters have been struggling to cope, although help is on the way from all around the world, as people are donating as much as they can to help fight the natural disaster. Unfortunately, malicious actors are here to abuse the good deed of others and steal sensitive information thanks to Magecart credit card skimming malware.
Security researchers at Malwarebytes Labs[2] uncovered a campaign that installs a malicious JavaScript skimmer called “ATMZOW” into a checkout page of a donation site vamberlo.com, consequently allowing the attackers to steal all the credit card details of users seeking to donate for a noble cause. However, the donations site is not the only one affected, as it turned out that further 39 web pages were also booby-trapped with the same skimmer.[3]
Upon the discovery, vamberlo.com was temporarily shut down until malware is removed from the site, and users can freely use it without compromising their credit card information.
Malicious credit card skimmer – how does it work?
In most cases, users feel relatively safe when visiting trusted and established websites and use their credit cards, as well as provide their credit card information without putting much thought into it. The truth is, however, that many legitimate sites have been poisoned by Magecart attacks in recent years, and campaigns are not going anywhere, as threat actors are making millions from this malicious and highly illegal business.
Magecart is a general term used for the modus operandi of various cybercriminals groups that abuse vulnerabilities within websites that utilize third-party e-commerce platforms and insert a malicious JavaScript into them. As a result, visitors who insert credit card information as a part of a checkout process, essentially give their payment information away to cybercriminals, without realizing that anything is wrong.
Magecart has been extremely prevalent and has compromised high-profile targets like Ticketmaster, British Airways,[4] Macy’s,[5] and others, affecting millions of users worldwide.
Further attack details
Upon discovering the malicious Magecart skimmer on vamberlo.com, security researchers from Malwarebytes managed to shut down the malicious domain down, although no reply from the website’s authors was returned when contacted. Therefore, while the malicious script is still active on the site, users will no longer be able to enter their credit card details for them to be stolen.
However, by using a PublicWWW tool, security researcher Troy Mursch from Bad Packets Report managed to trace further 39 domains affected by the same credit card skimmer “ATMZOW.” Most of the sites specialize in retail, and the highest-ranked site holds the 674,364 in Alexa rankings. Unfortunately, most of these sites are still in operational order, and those who use them to pay for some goods will get their credit card information stolen.
Those who used vamberlo.com or other domains that are affected by Magecart skimmer should immediately contact their banks so that a new credit card would be issued. Additionally, users should be careful of targeted phishing attacks and open unsolicited emails with care.