Armor researchers are warning retailers after spotting the tool for sale in a Russian forum on the dark web for $1,300, according to a report by Armor Threat Intelligence.
In addition, researchers noted it used Secure Socket Layer (SSL) protocol to encrypt the outbound payment card data being collected, which makes it harder for security teams to see the data being exfiltrated from the e-commerce site.
Armor’s Threat Resistance Unit senior security researcher Corey Milligan believes the tool represents the first step in the commoditization of the Magecart-style attack that will create a new line of revenue for the original Magecart threat groups while also saturating the threat landscape with attempts by low-level threat actors.
“We expect to see a mass of “Hail Mary” attacks, with the cybercriminals intent on hitting as many sites as possible, hoping that some of them will succeed and be fruitful,” Milligan said. “Unfortunately, the threat actors only have to be right once, and in this case, being right once could result in a haul of credit card data that is profitable and easy to sell on the Dark Web.”
In addition, TRU team believes that the low-level threat actors will plug this tool into processes that involves the automated scanning for and the indiscriminate attacking of vulnerable e-commerce sites, even ones that don’t have the applicable payment form.