Self-destructing skimmer steals credit cards of Greenworks customers

June 10, 2020

Payment card data from customers of Greenworks hardware tools website is currently being stolen by hackers via a malicious script with self-cloaking capabilities and anti-tampering protection.

Greenworks distributes home and garden battery-powered tools for DIY consumers. Its business started in 2007 and grew to expand in North America and Europe.

Grabbing card data and personal details

The main website of the power tool distributor has been compromised with a "highly-sophisticated self-cleaning and self-destructing skimmer" - a piece of code also known as payment card skimmer or MageCart script that copies customer card data at check out and sends it to the attackers.

On June 8, researchers at RapidSpike, a company providing website performance and security monitoring services, found the malicious code on the U.S. website 'greenworkstools[.]com', where it's still active at publishing time.

Card data entered on the site's payment form will land on the hacker's server at 'congolo[.]pro' - a domain purchased with bitcoin cryptocurrency for anonymity reasons.

Apart from card information (number, CVV, expiration date), the threat actor also steals account details (usernames and passwords) and personal customer data (phone number, delivery address).

All cloaked up

Unlike other web skimmers impacting online shops all over the world, this sample has several particularities that make it hard to spot and analyze by researchers. These features also make it stand out from scripts achieving the same goal.

In research published today, RapidSpike says that the attackers created an overlay for the entire check out page by injecting an empty element into its footer.

An 'onmouseover' event triggers the skimmer when customers move the mouse on the page, the researchers say.

This would ensure some cloaking from automated security tools that do not react to 'onmouseover' events.

Another tactic designed to keep the malicious code hidden from investigators is to remove from the DOM interface. This renders it invisible when trying to check it using a browser's developer console.

A similar technique was discovered by Visa in September 2019 in a JavaScript skimmer they named Pipka, which affected at least 16 merchants in North America.

Hiding from security tools and researchers are not the only tactics, though, as RapidSpike identified in the malicious code a self-destruction routine that activates on attempted tampering.

The script is obfuscated and researchers typically try to modify it by inserting or removing sections of it to better understand what it does and how it achieves its goal.

"However, if the number of characters in the script changes, even as little as one extra or one fewer characters, the script will self-destruct" - RapidSpike

This check is possible by using the number of characters in the script acting like a key that unlocks a string. A different number of characters will generate a key that releases the wrong string.

The self-destruction part consists of the code showing an error, "destroying the skimmer and potentially causing anyone investigating to believe the code is not malicious because it won’t actually do anything."

According to publicly available data, Greenworks Tools recorded a steep increase in visitor traffic from 45,000 February to 350,000 on May 20. Data on completed purchases is unavailable but it is safe to assume that thousands of customers may have had their payment card data in the two days since RapidSpike detected the skimmer.

Customers on the U.S. website of Greenworks Tools that made a purchase since June 8 are advised to contact their bank and cancel their payment card.

The researchers contacted Greeenwoks Tools about the compromise but apparently the script is still running. BleepingComputer reached out to the company but received no reply at publishing time.

Read the original article and additional information at Cyware Social