Skip to content

Threat actors exploiting Facebook Pixel tracker for credit card theft

  • by
  • 3 min read

A sophisticated campaign targets individuals via a complex credit card skimming attack embedded within a deceptive Facebook Pixel tracker script. This campaign highlights cybercriminals’ evolving strategies to exploit website vulnerabilities and steal sensitive financial data.

The attackers exploited software features that allow custom code injection, such as the miscellaneous scripts area in the Magneto admin panel and popular WordPress plugins like Custom CSS & JS.

By leveraging custom script editors, they inserted external JavaScript, including malicious code disguised as benign scripts like Google Analytics or JQuery libraries.

What sets this attack apart is its level of deception. Upon closer examination of the compromised script, cybersecurity experts identified meticulous substitutions and obfuscation techniques aimed at avoiding detection. The malicious script, posing as a legitimate Facebook Pixel tracker, cleverly replaced references to connect.facebook.net with a malicious domain, b-connect[.]com. The former is a legitimate domain name, while the latter is a malicious one loading the skimmer code.

Malicious script on the compromised website.

Once activated on a compromised website, the malicious script executed an additional script designed to capture credit card details covertly during checkout. This stealthy operation, concealed within what appeared to be a routine tracking script, underscores the insidious nature of modern cyber threats.

A concerning aspect of this attack is its stealthy execution. The compromised domain, b-connectd[.]com appeared as a legitimate e-commerce platform dating back to 2002, adding credibility to the malicious activity. This tactic aimed to evade traditional security measures and emphasised the need for advanced detection mechanisms.

Heavily obfuscated JavaScript executing the malicious payload. | Source: Sucuri

Detecting such sophisticated attacks poses significant challenges for website owners and security professionals. The skimming code, designed to activate discreetly during specific website interactions like checkout processes, often escaped traditional scanning methods. This silent operation underscores the importance of proactive monitoring and intrusion detection systems.

Cybersecurity researcher Matt Morrow from Sucuri has exposed the campaign. “Because credit card stealers often wait for keywords such as ‘checkout’ or ‘onepage’, they may not become visible until the checkout page has loaded,” said Morrow. “Since most checkout pages are dynamically generated based on cookie data and other variables passed to the page, these scripts evade public scanners and the only way to identify the malware is to check the page source or watch network traffic. These scripts run silently in the background.”

Users have been advised to regularly update the software, maintain a strong password, enforce file integrity monitoring mechanisms, and deploy a Web Application Firewall (WAF) to protect themselves from such attacks.

In the News: Apple dropped ‘state-sponsored’ under pressure from GoI: Report

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>