Attackers have compromised a website collecting donations for the victims of the Australia bushfires and injected a malicious script that steals the payment information of the donors.

This type of attack is called Magecart and involves hackers compromising a web site and injecting malicious JavaScript into eCommerce or checkout pages. These scripts will then steal any credit cards or payment information that is submitted and send it off to a remote site under the attacker's control.

The Malwarebytes Threat Intelligence Team has discovered a legitimate web site collecting donations for the tragic bushfires in Australia that has been compromised by a Magecart script.

While the donors were probably not targeted by this attack, they are unfortunately caught in the cross fire.

When a visitor of the site adds an item to their cart, such as a donation, a malicious credit-card skimmer script named ATMZOW will be loaded into the checkout pages.

Donation page with the ATMZOW skimmer

When a user submits their payment information as part of the checkout process, the malicious script will steal the submitted information and send it to the vamberlo[.]com domain. This domain is obfuscated in the script as shown below.

The obfuscated domain that payment information is sent to

Malwarebytes' Jérôme Segura has told BleepingComputer that once they became aware of the compromised site they were able to get the vamberlo[.]com shut down.

For now, this means that any visitors to the site will no longer have their payment information stolen.

As the code is still active on the site, though, it could be modified by the hackers to utilize a new domain that will enable the skimming script again.

Malwarebytes has contacted the site about the malicious script injected into their eCommerce store but has not heard back at this time.

Skimmer active on other sites

Using the PublicWWW tool, Troy Mursch of Bad Packets Report has also discovered that this same script is currently active on 39 other web sites

Skimmer active on other sites

It is not known if those sites are utilizing the same domain to send payment information.

If they are, then with the shutdown of the vamberlo[.]com domain, they will no longer be active as well.