Lets See How these Groups Approach Your website :
Information Gathering on targeted web application ,Please check the request map tool or any other https://requestmap.webperf.tools/
Above picture illustrated that ,Attacker is trying to see the bigger picture of your web application and its external thirty party apps ( Advertising ,Ad Exchange ,CDN Fonts ,Hosted Libraries etc) , Now attackers will try all possible ways to compromise your website directly or through supply chain attacks.
Lets see what happens when you do happy shopping on this skimmer implanted websites :
Once the victim successfully proceed checkout ,A new page appears to get your card number ,CVV, expiry date.Once transaction is complete your order is placed.All the payment-card data are stolen and data is ex filtrated to malicious domain.
NOTE: Transactions are made through dummy credit cards and now its time to see what happens behind the scene of shopping .
Lets See The Indicator of Compromise :
When i try to decode the encoded base64 value ,this is what happens. Base64 decode results as Unknown website.
Unknown website is submitted to VirusTotal to check the reputation and results came up with 6/82.Some Av Vendors flagged this website as malicious.
Apart from virus total analysis ,I have downloaded above URL source code to review any anomaly.
Yes !!! Its confirmed the code is malicious and related with web skimming to steal all the customers payment-card data.
Reviewing The Content Security Policy :
NOTE : While proceeding checkout on shopping website ,My sniffer was running at background .Lets check there results also.
Content Security Policy (CSP) is an additional layer of security that helps to detect and mitigate certain types of attacks.This layer of security provides policies to harden like where to get and execute the scripts on your websites. Lets check the same with this case.
Above image shows that ,CSP is ensuring that above domains are allowed to execute scripts on the Referrer,Which is nothing but a cart check out page where the user is going do an transaction.
Since shopping cart website have given the CSP with wildcard *.google-analytics.com .Attacker taking this advantage and overwriting his own malicious domain which is bypassing the CSP.
Now sniffer shows that all the user payment details are exfiltrated to malicious actors domain.Its always necessary and thumb rule to secure your code and review your clients code too !!! Happy Investigation !!