Previously, researchers found web skimmers inside images (site logos, favicons, social media buttons), in popular libraries including jQuery, Modernizr, and Google Tag Manager, or inside various widgets such as the support chat window.
Now, Willem de Groot, an expert at the Dutch company Sanguine Security, told ZDNet reporters that he had found web skimmers embedded in CSS files.
“After finding skimmers in SVG files last week, we now discovered a #magecart skimmer in perfectly valid CSS. It is parsed and executed during checkout. Malware loaded from cloud-iq[.]net (faking @cloudIQApps”, — wrote Willem de Groot on his company’s Twitter account.
Several unnamed online stores have already been infected with this malware, and the cybercriminals’ infrastructure has been functioning since about September 2020, however, after a tweet from researchers about the problem, the keylogger seems to have been disabled. De Groot writes that it all looked like someone’s experiment.
While using CSS rules as a proxy for downloading malware is something new, the expert believes that this is not what site owners and buyers should worry about:
Let us recall even such a very impudent trick when attackers inbuilt script Magecart to collect bulling information on Forbes subscription website.