The Kritec skimming campaign [1] [3] [4] [5] [6] [7], carried out by a group of hackers known as Magecart [6], is a highly sophisticated operation that targets online shoppers [5]. This campaign was first identified by Akamai in March 2023 and experienced increased activity in October, specifically targeting the holiday shopping season to take advantage of the rise in online transactions.

Description

Kritec is a type of skimmer that injects malicious JavaScript code into legitimate websites [6], particularly those using the Magento e-commerce platform [1] [6] [7]. The code is hidden within the Google Tag Manager script [6], making it difficult for security solutions to detect [6]. The skimming tools used by Kritec are customized for each victim site, utilizing convincing templates that are even localized in multiple languages [4]. This makes it challenging for users to detect the theft of their credit card information [5]. When customers enter their credit card details on the checkout page [1] [6] [7], Kritec steals the information and sends it to a remote server controlled by the attackers [1] [6] [7].

Malwarebytes threat researchers have observed a significant increase in newly registered domains associated with Kritec [2] [3], with a 50% month-over-month rise in the US since September [2]. This indicates a surge in compromised sites and an increased risk for innocent shoppers to become victims of this skimming campaign [2]. The infrastructure behind the campaign is located on the IT WEB LTD network in the British Virgin Islands [5].

To protect against credit card skimming [5], it is advised to carefully scrutinize smaller merchants, conduct website audits, and utilize security tools like Malwarebytes Premium and Malwarebytes Browser Guard [5]. Additionally, a list of infrastructure obtained through retrohunting has been published to enhance community blocklists for improved threat detection and prevention [5].

Conclusion

The Kritec skimming campaign poses a significant threat to online shoppers, with its highly sophisticated techniques and extensive reach. It is crucial for individuals and businesses to remain vigilant and take proactive measures to protect against credit card skimming. By carefully reviewing smaller merchants, conducting regular website audits, and utilizing reliable security tools, such as Malwarebytes Premium and Malwarebytes Browser Guard [5], the risk of falling victim to this skimming campaign can be minimized. Furthermore, the publication of an infrastructure list obtained through retrohunting will aid in enhancing community blocklists [5], improving threat detection and prevention in the future.

References

[1] https://ciso2ciso.com/black-friday-malwarebytes-warns-of-credit-card-skimming-surge-source-www-infosecurity-magazine-com/
[2] https://ciso2ciso.com/malwarebytes-labs-reveals-50-uptick-in-credit-card-skimming-in-advance-of-the-holiday-shopping-season-source-www-darkreading-com/
[3] https://jn66dataanalytics.com/news/malwarebytes-labs-reveals-50-uptick-in-credit-card-skimming-in-advance-of-the-holiday-shopping-season-dark-reading
[4] https://www.securitricks.com/credit-card-skimming-on-the-rise-for-the-holiday-shopping-season-thursday-november-16-2023/
[5] https://cybermaterial.com/credit-card-skimming-on-the-rise/
[6] https://cybersecurity-see.com/malwarebytes-warns-of-credit-card-skimming-surge-on-black-friday/
[7] https://www.infosecurity-magazine.com/news/black-friday-malwarebytes-credit/