Magecart is the most infamous payment skimmer. But it’s hardly the only one.

Written by

There’s been a steady stream of news about malware designed to skim customer payment data during e-commerce transactions, but research by security vendor Group-IB suggests that the problem is broader than the public might realize.

JavaScript-sniffers — JS-sniffers for short — were lurking on 2,440 hacked websites that receive roughly 1.5 million unique daily visitors, according to research published Wednesday by the company. The malicious software essentially produces the same results as a credit card skimmer: Cybercriminals inject a few lines of code onto target websites, then sweep up account numbers, names, addresses and other information that’s valuable on dark web markets.

And it’s not just Magecart, the best known group of JS-sniffers, Group-IB says. Twelve Magecart groups have been in operation, but Group-IB says its researchers discovered a total of 38 JS-sniffer families — at least eight of which have not previously been investigated in detail.

One JS-sniffer campaign, known as TokenLogin, was detected on sites that work with platforms including Magento, Shopify, and Bigcommerce. The tool, which appears to have emerged in March and April of 2016, aims to avoid detection from manual security checks, and then to automatically reinfect a target if it’s removed. It was traced back to a domain registered by the a Yandex email address, which supports Group-IB’s conclusion that many JS-sniffers speak Russian.

“Presumably, when the attackers gain access to a shop’s website, they create additional backdoors to regain access and restore the JS-sniffer,” the report states.

“All payment data is saved to local storage and then sent to the attacker’s server via an HTTP POST request, as long as the JS-sniffer is active. In some cases, JS-sniffers that run data validation were found; in other cases, there were no modifications or checks of stolen data on the client side.”

Another campaign, the GMO JS-sniffer, dates back to May 2018. The code checks whether a user’s billing information has been collected on a payment page, then intercepts the user’s credit card information. GMO was still active as of last month, and was used to infect sites such as Fila.co.uk, absolutenewyork.com, according to an Ars Technica report.

These developments are only the latest in the quickly-evolving world of point-of-sale malware. Magecart hackers have created perhaps the most havoc in recent months, with researchers blaming them for stealing thousands of customers’ payment information from targets including British Airways, BevMo and housewares giant OXO.

Other groups, though, are continuing to invest in hacking techniques they can use to steal personal information, or at least sell to other scammers.

Unfortunately, there’s not much individual consumers can do to protect themselves. One quick solution, though, is to frequently check credit statements for any signs of fraud.