According to a blog post by Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, the investigation was kicked off late last year when someone he knew was notified by their credit card company stating a transaction for a purchase of substantial value was pending.
Tracing back, the researcher found that the victim made a purchase at that online store once in recent times: focuscamera.com, a legitimate photography retailer.
Hadad found that at the checkout page, credit card data was being submitted to two different sites; zdassets.com and zdsassets.com. The latter being set up by hackers and registered on 11 November 2019 with a hosting provider in the Netherlands.
"Based on some DNS telemetry we have access to, this C&C domain has been resolved 905 times since it was created, which may be an indication of the number of victims of this card skimming operation. It is possible the same C&C domain is being used across multiple compromised shopping sites and campaigns. At this time, we don’t have any telemetry to prove it one way or the other," said Hadad.
"This attack has all the hallmarks of a Magecart attack, going after the client side skimming of payment card data. This is not any particular hacker group, but rather a consortium of threat actors using similar methods to compromise third party libraries in a supply chain attack, or simply hacking into the target website to implant malicious code. Amongst the well known victims are British Airways, TicketMaster, NewEgg and more," he said.
After realising focuscamera.com was breached, Juniper Threat Labs immediately contacted the site owners via an online contact form as well as leaving voice-mails. A later follow-up call resulted in malicious code removed from the site.
Pedro Fortuna, CTO at Jscrambler, told SC Media UK that there is often a misconception that a company's Web Application Firewall prevents this rogue third-party code from running on their website; however, because it originates from a source that is trusted by default - a legitimate third-party supplier - this malicious code easily bypasses network defenders.
"Despite this, there are some security measures that companies should put in place - like limiting and vetting external code and setting up a Content Security Policy - but these still fail to guarantee that Magecart will be effectively prevented, especially when these attacks are getting more sophisticated," he said.
Paul Bischoff, privacy advocate at Comparitech.com, told SC Media UK that ff the skimming script is still active, Focus Camera needs to disable the payment page right away until it's fixed.
"Otherwise they are actively compromising every customers' payment details. If you're a Focus Camera customer, keep a close eye on your credit card statements and dispute any unauthorised activity, no matter how small. Criminals will often charge stolen credit cards small amounts to see if they're still valid before selling them to someone who will steal a lot more," he said.