Attackers are using fake Google domains spoofed with the help of internationalized domain names (IDNs) to host and load a Magecart credit card skimmer script with support for multiple payment gateways.
The attack was detected after the owner of a website had its domain blacklisted by McAfee's SiteAdvisor service, with the Sucuri security research discovering after taking a closer look that the culprit was a JavaScript-based payment card skimmer injected within the site.
"Our investigation revealed that the site had been infected with a credit card skimmer loading JavaScript from the malicious internationalized domain google-analytîcs[.]com (or xn--google-analytcs-xpb[.]com in ASCII)," Sucuri's research team found.
Internationalized domain names used as a C2 cover
Using IDNs to camouflage servers hosting malicious content is a known threat actor tactic employed during phishing attacks or, as this campaign shows, in attempts to conceal traffic coming from malicious domains as packets being delivered from legitimate sites.
Because there are certain characters that may appear to be the same but have different ASCII codes (for example, the Cyrillic "a" and the Latin "a"), an attacker may be able to "spoof" a web page URL. Instead of going to a legitimate site, you may be directed to a malicious site, which could look identical to the real one. If you submit personal or financial information while on the malicious site, the attacker could collect that information and then use and/or sell it. — CISA Security Tip (ST05-016)
The card skimming script injected by the attackers "uses the loaded JavaScript to capture any input data using the document.getElementsByTagName and input or stored element names for capturing drop dow ..
Support the originator by clicking the read the rest link below.
