Video Conference Firm Targeted for Payment Card Skimming

Card Not Present Fraud , Cybercrime , Fraud Management & Cybercrime

Malwarebytes Says PlayBack Now Customer Sites Compromised

Video Conference Firm Targeted for Payment Card Skimming Circled is the line of JavaScript indicating the website is compromised. (Source: Malwarebytes)

While most payment card skimming attacks zero in on ecommerce sites for consumers, a newly discovered attack targeted PlayBack Now, an online video conferencing firm, Malwarebytes reports.

See Also: Live Webinar | Unlocking the Full Potential of Public Key Infrastructure

PlayBack Now was hit with a two-pronged attack designed to steal payment card and other information from the company’s customers who uses websites created by the firm, according to Malwarebytes. Fraudsters created a typosquatting-based website as an obfuscation tool to fool site administrators. And they injected a JavaScript skimmer into the Magento e-commerce platform within the websites PlayBack Now built for its customers.

About 40 PlayBack Now customers, including the National Association of Realtors, American Diabetes Association and the American College of Physicians, have been affected by the scam, but the number of their clients that may have had data compromised is not known. Information stolen includes cardholder names, credit card numbers, expiration dates and the card’s CVV, according to Malwarebytes.

The attackers have not been identified as being members of a group that falls under the Magecart umbrella of card-skimming gangs. But their use of a JavaScript skimmer is similar to the Magecart aproach (see: Magecart Group Hits Small Businesses With Updated Skimmer).

Typosquatting Attack

PlayBack Now creates websites for its customers, who then use them to host virtual conferences or to play purchased content. The fraudsters installed JavaScript skimmers inside some of these sites.

Malwarebytes created a fake website to facilitate the skimmer installation. The site’s home page acted only as a placeholder that enabled the attackers to use its URL to hide the JavaScript skimmer inside the customer sites, according to the report.

“The typosquatting is meant to deceive site administrators reviewing the page’s source code, rather than shoppers typing in the wrong address,” Jerome Segura, director of threat intelligence at Malwarebytes, tells Information Security Media Group. “The whole idea is to inject a malicious line of code using a domain name that looks like the real one. If you’re not paying too much attention you might think that this link is legitimate.”

When a PlayBack Now customer purchased a course or conference recording via an infected website, their personal and credit card data was leaked to criminals via the same malicious domain housing the skimmer, according to Malwarebytes.

Malwarebytes disclosed the following information on the fake website the fraudsters used to facilitate skimmer installation:

  • Domain name:;
  • Creation Date: 2020-09-21T20:22:10.00Z;
  • Registrar: NAMECHEAP INC;
  • Registrant Name: WhoisGuard Protected;
  • Registrant Street: P.O. Box 0823-03411;
  • Registrant City: Panama.

Accessing PlayBack Now

Malwarebytes says it’s possible the attackers may have used the Golang brute force tool, or the initial breach may have exploited a Magento vulnerability.

The researchers noted thousands of Magento content management systems were attacked after the release of the Golong exploitation tool (see: Payment Card Skimming Hits 2,000 E-Commerce Sites).

A spokesperson for PlayBack Now did not immediately reply to a request for comment.

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips