Magecart*threat actors have been spotted this week while starting to abuse Salesforce's Heroku*cloud application platform to host*their card skimming scripts and to store stolen*payment card info.
Heroku*is a cloud platform-as-a-service (Paas) designed to help companies and individual developers to speedily build and host web apps without having to worry about also managing the infrastructure behind them.
Multiple examples of*Heroku-hosted*Magecart skimmers were found by*Malwarebytes' Threat Intelligence team with most of them being used in active campaigns since the beginning of this week.
The Magecart scripts found on Heroku*were all reported to the Salesforce Abuse Operations team*which promptly took them all down according to the Malwarebytes researchers.
Heroku-hosted skimmer found on Panafoto (Image: Malwarebytes Labs)
Heroku used and abused

The threat actors took advantage of the Heroku freemium model that allowed them to use the platform as a free web hosting service for their skimming operations after registering a free account.
With the help of Heroku, they were able to easily create modular card skimming web apps featuring a core skimmer module that got injected within compromised e-commerce sites using a single line of code.
"Its goal is to monitor the current page and load a second element (a malicious credit card iframe) when the current browser URL contains the Base64 encoded string Y2hlY2tvdXQ= (checkout)," Malwarebytes Director of Threat Intelligence Jérôme Segura adds.
The rogue iframe displayed by the malicious web app over the*payment forms is identical to the originals and it is designed to collect the customers' credit card information without their knowledge and without raising any red flags.
Skimmer overlay iframe*(Image: Malwarebytes Labs)
Once it successfully*harvests a user's card info, the stolen data will be automatically sent back to the Magecart skimmer web app's storage space on Heroku in encoded format.
"Finally, the stolen data is exfiltrated, after which victims will receive an error message instructing them to reload the page,"*Malwarebytes' researchers found. "This may be because the form needs to be repopulated properly, without the iframe this time."
Cloud providers, a favorite skimmer hosting choice

Magecart*groups*are*exploiting vulnerable e-commerce stores as part of so-called e-skimming attacks*by injecting malicious JavaScript-based scripts into*checkout pages. Their*end goal is of harvesting payment info submitted by their*customers and*sending it to remote sites the attackers control.
This is not the first time Magecart threat actors abused cloud services, with GitHub being used to host obfuscated card skimming scripts that eventually got injected within hundreds of compromised online stores as Malwarebytes also discovered in April.
In June, Magecart attacks injected skimmers hosted on compromised*Amazon CloudFront*CDN S3 buckets within the*Washington Wizards page on the official NBA.com site.
One month later, over 17,000 domains got infected with*payment card skimming code by attackers who abused*misconfigured Amazon S3 buckets as found by*researchers at RiskIQ.
The cybercrime*groups behind these types of attacks have been active since at least 2010 per a RiskIQ report from October,*and they are known to focus*on Magento-powered sites, although they've also recently started to*also target OpenCart, PrismWeb, ??????and OSCommerce-powered stores.
RiskIQ estimates*that these web skimming operations may have already affected millions of e-commerce customers, with telemetry data showing a total of 2,086,529 instances of Magecart detections.