In the onset of the Christmas shopping season, hackers have been having a blast. Magecart, the malicious hacker group known for targeting online shopping cart systems, is actively attacking e-commerce websites again. 

The latest victim 

The Magecart group has reportedly been using a credit-card skimming method to hijack PayPal transactions at checkout. They used a script called window.postMessage to make the malicious process seem more legitimate.

How it happened 

• The group injected card-skimming scripts on checkout pages in compromised e-commerce websites to steal customers’ payment card details and other information.
• The attackers hid their malicious code inside an image hosted on the server of the infected online store.
• The attacker then uses the data stolen from genuine pages (items added in the shopping cart, total invoice amount along with taxes and additional charges), and used it to pre-fill the fake PayPal forms during the victim’s checkout process to make its fake payment form look real.
• Once a victim enters and submits payment info, the exfiltrated data will be sent (via skimmer) to apptegmaker[.]com, a domain registered in October, and associated with tawktalk[.]com.

This is not the first time that PayPal has been in trouble. In the last month, attackers were seen targeting the users of popular money transfer apps, including Paypal, Cash App, Zelle, and Venmo. 

A network of 39 scam sites was discovered, targeting victims via a PayPal-UPS scam, exploiting some loopholes, and using PayPal as a gateway for stealing money from their victims.

With the rise of serial cyber attackers such as Magecart, especially during the lockdowns and when tech dependence is more than ever before, clients need to be extremely cautious when using online payment apps. Experts suggest using sinkhole domains, updating software with the latest security , segregating servers, and staying alert while entering information online to notice any discrepancies.