Jump to content
Sign in to follow this  

18 Sniffers Steal Payment Card Data from Print Store Customers

Recommended Posts


For the past 30 months, an online printing platform with a cover store for well-known magazines has been constantly infected with malicious scripts that steal customer payment card data.




At least 18 skimmers or sniffers - scripts that copy credit card info at checkout, were identified since August 2017 on Reprint Mint photo store that prints covers of ESPN sports magazine and of the American military publication Stars and Stripes.

MageCart sniffer overload

On some occasions, more than one skimmer was active at the same time, indicating that multiple attackers had compromised the site and were receiving the pilfered card info.


Sanguine Security, a company specialized in online store fraud protection, says that the first skimmer they noticed on Reprint Mint ran for a year and a half without drawing attention.


Things changed on February 1, 2019, when it was replaced by a different script, which sent the data to a file associated with the Inter sniffing kit, available on underground markets for $950.


The collecting file was moved to various domains, most likely compromised for this purpose.


On August 1, 2019, a third skimmer with a different code and exfiltration domain stepped in and replaced competition.


By December, Sanguine researchers had seen six different scripts specifically designed to intercept payment card data. Most of the time, only one of them was active, except for the last two, which seemed to coexist.


New sniffers were planted starting January 23, 2020, with number five being a constant, regardless of the rivals swooping in. Sanguine Security informs that it was still present on Wednesday, despite multiple attempts to reach out to the printing platform. BleepingComputer could confirm that the two scripts are active at the moment of writing.






Few crooks were caught

While Reprint Mint is a small shop, it shows that any eCommerce site can be a battlefield for MageCart operators. Card-stealing malware will make its way on any site with security gaps that can be exploited, no matter the amount of card data that can be exfiltrated. The information is then sold on underground forums.


Skimmer operators are extremely active, compromising hundreds of thousands of websites. One such threat actor alone managed to infect more than 40 web stores since October 2019. Over a dozen groups play this game.


Until now, authorities caught only three MageCart hackers that are part of a larger group that infected at least 571 stores since 2017. They collected about 1,000 cards and user account logins every week and either sold it on underground forums or used it to buy goods.



Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...