Credit card stealing malware is becoming more and more customized. We’ve been regularly seeing injected scripts with URLs that either mimic or include a portion of the victim’s site domain. Sometimes the injected code also references the victim’s site.
Recently, we’ve come across another level of customization.
Fake Payment Form in Bulgarian
A compromised Magento site had the following script injected into its core_config_data table.
hxxps://elegrina[.]com/assets/.js, where was the second-level domain of the infected site.