Hackers swap stealth for realistic checkout forms to steal credit cards

Hackers are hijacking online stores to display modern, realistic-looking fake payment forms to steal credit cards from unsuspecting customers.

These payment forms are shown as a modal, HTML content overlayed on top of the main webpage, allowing the user to interact with login forms or notification content without leaving the page. 

When modals are active, the background content is sometimes dimmed or blurred to draw attention to the modal content.

In a new report by , MageCart skimmers are now hijacking legitimate online store’s payment pages to show their own fake payment forms as modals to steal customers’ credit cards.

These modals stand out because they sometimes look even better than the original, having no visual signs that could cause suspicion that they are not real.

Better than the real thing

One case highlighted in Malwarebytes’ report concerns a PrestaShop-based Parisian travel accessory store compromised by the new Kritec campaign.

Kritec is a JavaScript credit card skimmer that Malwarebytes first detected on Magento stores , so the same threat actor is likely behind it.

Malwarebytes reports that the skimmer that infected the page is rather complex, and its code is heavily obfuscated with base64 encoding.

Upon reaching the checkout page of the infected site, instead of being shown the site’s payment form, the malicious script displays a modal that features the brand’s logo, correct language (French), and elegant interface elements. 

However, this fake payment form is designed to steal customers’ credit card information and send it back to the hackers.

The malicious modal window loaded on top of the compromised webpage
The malicious modal window loaded on top of the compromised webpage (Malwarebytes)

Once the buyers enter their details on the modal, it displays a bogus loader momentarily and then shows a fake error, redirecting the user to the real payment URL.

Credit card data stealing process
Credit card data stealing process (Malwarebytes)

However, in the background, the threat actors have already stolen all entered details, including the credit card number, expiration date, CVV number, and cardholder name.

Also, the skimmer drops a cookie on users who have been successfully targeted to prevent loading the malicious modal again on the same or another site. This is to avoid collecting duplicate data and minimize the operation’s exposure.

Malwarebytes’ analysts blocked the credit card skimmer script to allow the original payment form to load, and the comparison between the two leaves the authentic one aesthetically defeated.

The real payment page hosted on a third-party provider
The real payment page hosted on a third-party provider (Malwarebytes)

The actual payment page redirects visitors to a third-party processor, and after the banking information is entered, the customer returns to the shop’s page.

While a redirection to an external site is a typical step in online payments, it inspires less trust in the visitor than the modal form rendered right on the page.

Unfortunately, Malwarebytes observed evidence that the trend of using modal forms is gaining traction in the Magecart cybercrime community.

Other examples of websites serving fake payment modals on visitors include a Dutch and a Finnish e-commerce site, both featuring elegant design that helps them pass as authentic.

Examples of skimmer modals on other sites
Examples of skimmer modals found on other sites (Malwarebytes)

“It is possible multiple threat actors are involved in those campaigns and customizing skimmers accordingly,” .

“While many hacked stores had a generic skimmer, it appears the custom modals were developed fairly recently, maybe a month or two ago.”

Online shoppers need to be highly vigilant and prefer electronic payment methods or one-time private cards with charge limits that are useless in the hands of cybercriminals.