Last year we saw a fairly massive Magento malware campaign that injected credit card stealing code similar to this:

It uses the JavaScript atob function to decode base64-encoded domain names and URL patterns. In the sample above, it’s hxxps://livegetpay[.]com/pay.js?v=2.2.9 and “onepage”, respectively.

The campaign used a variety of different domain names and targeted all sorts of payment processing systems, which is well described in the Group IB’s report.

Continue reading Magento Skimmers: From Atob to Alibaba at Sucuri Blog.

Via Sucuri.net