How Hackers Are Installing Malware On AmeriCommerce Sites

by 1337pwn Staff

Hackers are installing malware on eCommerce sites powered by the AmeriCommerce software for the purposes of rerouting customers to a fake AmeriCommerce site to steal payment information, according to website security company Sucuri.

AmeriCommerce is a popular eCommerce software that is designed for high-volume online stores and intricate projects. AmeriCommerce product pages generally comprise an HTML form with the information regarding the item and an “Add to Cart” button.

Cart button. Credit: Sucuri Blog

The cart is situated on an AmeriCommerce server inside a subdomain of, and the form’s ‘action‘ parameter specifies that particular subdomain:

<form action="hxxps://<>" method=POST>

Sucuri discovered hackers injecting the script hxxps://[.]pw/js/scr.js on one AmeriCommerce website which loaded the subsequent code:

This script modifies the value of the form’s ‘action’ parameter to hxxps://[.]pw/shopcart.php?add.x=15&add.y=16.

Once a customer clicks on the “Add to Cart” button with this new action parameter, they are transferred to a fake AmeriCommerce shopping cart ([.]pw) controlled by the hacker. The fake site appears to closely resemble a regular AmeriCommerce shopping cart web page.

Phony AmeriCommerce webpage. Credit: Sucuri Blog

Customers are subsequently sent to a tailored phony checkout webpage where they are directed to enter private information like names, addresses, and payment information to complete the transaction.

Phony AmeriCommerce checkout webpage. Credit: Sucuri Blog

Sucuri emphasizes the fact that all the information entered by the customer ultimately is sent directly to the hackers responsible. After a customer submits their private information, they will see a webpage that states “Error 402. Error making payment, try a little later or use other payment details. Back to homepage“.

Phony AmeriCommerce failed transaction webpage. Credit: Sucuri Blog

Evidently, the fake failed transaction page was designed to conceal the fact that hackers have successfully stolen valuable information that could eventually be sold on the dark web.

Furthermore, Sucuri notes that the domain “shoppingcommerce[.]pw” is hosted in Russia on a shared server.

Potential Consequences

The potential consequence of this attack is that it could possibly be deployed against other AmeriCommerce websites.

The script looks for the generic section of the cart URL “” and no further modifications are necessary for attacks against other sites.

Nevertheless, Sucuri mentions that this attack appears to be targeting one particular website considering that the checkout page has been tailored for this specific campaign.

Significantly, Sucuri also states that there lacks evidence that the AmeriCommerce software has any security vulnerabilities.


Hackers are continuing to utilize their scripting knowledge and technical skills to compromise eCommerce websites successfully.

Cybercriminals are prepared to spend their valuable time and resources to make enormous profits.

Related Posts