Ddos 
Image: Sansec
Security researchers at Sansec have discovered an active keylogger planted on the employee merchandise store of a “top 3 US bank,” potentially exposing the credentials and personal data of over 200,000 employees.
The malware, which was live for approximately 18 hours before being removed, was designed to intercept “everything typed into the site’s forms: login credentials, payment card numbers, personal information”.
While banks typically invest heavily in securing their core banking infrastructure, this incident highlights a critical blind spot: the “side doors” created by internal portals and third-party platforms.
“Employee stores frequently fall outside the scope of standard security audits, making them juicy targets,” the report notes.
The danger is magnified by human behavior. “This breach is worrying because bank employees often reuse corporate credentials,” Sansec warns. “Stolen passwords could provide attackers with footholds into internal banking systems”.
The attack utilized a sophisticated two-stage loader designed to evade detection. The malware first checks if the user is on a checkout page. If so, it loads an external script from https://js-csp.com/getInjector/ .
Once loaded, the second stage kicks in. “The second-stage payload harvests all form data on the page,” capturing inputs from every field. This stolen data is then exfiltrated via an image beacon—a common technique that bypasses many security controls by disguising the data theft as a simple image request.
This is not an isolated incident. Sansec identified a clear pattern linking this attack to previous campaigns, including one targeting the Green Bay Packers last year.
“This is the fifth getInjector campaign Sansec has uncovered in the past 12 months,” the researchers state, listing several related domains such as artrabol.com, js-stats.com, and js-tag.com .
Alarmingly, standard security tools completely missed this threat. At the time of discovery, VirusTotal showed that only “1 out of 97 security vendors” detected the malicious URL .
“A trillion-dollar security budget is clearly no guarantee for security,” the report concludes, emphasizing the need for specialized detection tools for ecommerce environments.
Sansec also criticized the bank’s lack of a security.txt file, noting that it made it “unnecessarily hard to get in touch with the right people” to report the breach.
Related Posts:
- Adobe Issues Emergency Patch for SessionReaper (CVE-2025-54236), One of Magento’s Most Critical Flaws
- Massive E-commerce Supply Chain Attack Uncovered: Hundreds of Stores at Risk
- Silver Fox APT Targets Philips DICOM Viewers in Healthcare Espionage Campaign
- Snake Keylogger Exploits Geopolitical Tensions with Oil-Themed Spearphishing Campaign
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
