Magento Credit Card Stealing Malware: gstaticapi
Our team recently came across a malicious script used on a Magento website titled gstaticapi, which targeted checkout processes to capture and exfiltrate stolen information.
To obtain sensitive details, the malware loads external javascript whenever the URL contains “checkout” — this location typically belongs to the step in Magento’s checkout process where users enter their sensitive credit card information and shipping details.
As seen above, the first if statement looks for the checkout string in the URL using window.location.href.indexOf.
Continue reading Magento Credit Card Stealing Malware: gstaticapi at Sucuri Blog.