“ATMZOW” credit card skimmer used on a legitimate Australia's bushfire donation site vamberlo.com
The world is currently captivated by unfortunate events happening in Australia since September 2019 – bushfires are engulfing natural habitat as well as all the creatures living there. The disaster is so immense that local firefighters have been struggling to cope, although help is on the way from all around the world, as people are donating as much as they can to help fight the natural disaster. Unfortunately, malicious actors are here to abuse the good deed of others and steal sensitive information thanks to Magecart credit card skimming malware.
Upon the discovery, vamberlo.com was temporarily shut down until malware is removed from the site, and users can freely use it without compromising their credit card information.
Malicious credit card skimmer – how does it work?
In most cases, users feel relatively safe when visiting trusted and established websites and use their credit cards, as well as provide their credit card information without putting much thought into it. The truth is, however, that many legitimate sites have been poisoned by Magecart attacks in recent years, and campaigns are not going anywhere, as threat actors are making millions from this malicious and highly illegal business.
Further attack details
Upon discovering the malicious Magecart skimmer on vamberlo.com, security researchers from Malwarebytes managed to shut down the malicious domain down, although no reply from the website's authors was returned when contacted. Therefore, while the malicious script is still active on the site, users will no longer be able to enter their credit card details for them to be stolen.
However, by using a PublicWWW tool, security researcher Troy Mursch from Bad Packets Report managed to trace further 39 domains affected by the same credit card skimmer “ATMZOW.” Most of the sites specialize in retail, and the highest-ranked site holds the 674,364 in Alexa rankings. Unfortunately, most of these sites are still in operational order, and those who use them to pay for some goods will get their credit card information stolen.
Those who used vamberlo.com or other domains that are affected by Magecart skimmer should immediately contact their banks so that a new credit card would be issued. Additionally, users should be careful of targeted phishing attacks and open unsolicited emails with care.