Magecart customers pay twice due to hacking of website code

News by Rene Millman

Hackers access website source code to inject malicious JavaScript, then payment details submitted get sent to two addresses - the retailer and the crooks.

Customers of photography retailer Focus Camera ended up paying twice for purchased goods after Magecart hackers managed to inject a JavaScript code to the website to submit all credit card details to a command and control server of their own as clients are checking out.

According to a blog post by Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, the investigation was kicked off late last year when someone he knew was notified by their credit card company stating a transaction for a purchase of substantial value was pending. 

Tracing back, the researcher found that the victim made a purchase at that online store once in recent times: focuscamera.com, a legitimate photography retailer. 

Hadad found that at the checkout page, credit card data was being submitted to two different sites; zdassets.com and zdsassets.com. The latter being set up by hackers and registered on 11 November  2019 with a hosting provider in the Netherlands.

"Based on some DNS telemetry we have access to, this C&C domain has been resolved 905 times since it was created, which may be an indication of the number of victims of this card skimming operation. It is possible the same C&C domain is being used across multiple compromised shopping sites and campaigns. At this time, we don’t have any telemetry to prove it one way or the other," said Hadad.

Hadad discovered that the hacker modified a JavaScript file to inject an obfuscated payload. The routine is encoded using base64. After decoding, Hadad found a script performing malicious activity. 

"This attack has all the hallmarks of a Magecart attack, going after the client side skimming of payment card data. This is not any particular hacker group, but rather a consortium of threat actors using similar methods to compromise third party libraries in a supply chain attack, or simply hacking into the target website to implant malicious code. Amongst the well known victims are British Airways, TicketMaster, NewEgg and more," he said.

After realising  focuscamera.com was breached, Juniper Threat Labs immediately contacted the site owners via an online contact form as well as leaving voice-mails. A later follow-up call resulted in malicious code removed from the site.

Pedro Fortuna, CTO at Jscrambler, told SC Media UK that there is often a misconception that a company's Web Application Firewall prevents this rogue third-party code from running on their website; however, because it originates from a source that is trusted by default - a legitimate third-party supplier - this malicious code easily bypasses network defenders. 

"Despite this, there are some security measures that companies should put in place - like limiting and vetting external code and setting up a Content Security Policy - but these still fail to guarantee that Magecart will be effectively prevented, especially when these attacks are getting more sophisticated," he said.

Paul Bischoff, privacy advocate at Comparitech.com, told SC Media UK that ff the skimming script is still active, Focus Camera needs to disable the payment page right away until it's fixed. 

"Otherwise they are actively compromising every customers' payment details. If you're a Focus Camera customer, keep a close eye on your credit card statements and dispute any unauthorised activity, no matter how small. Criminals will often charge stolen credit cards small amounts to see if they're still valid before selling them to someone who will steal a lot more," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews