Simultaneous Magecart attacks skim credit card data

News by Rene Millman

Multiple, uncoordinated Magecart attacks have been skimming credit cards from sites at the same time

Security researchers have discovered a new trend where multiple Magecart attacks have been observed skimming credit cards from sites at the same time.

Each attack used a different technique and simultaneous attacks did not appear to be coordinated, said a blog post by researchers at PerimeterX. Researchers added that there is also a larger trend starting where Magecart attacks are becoming more organised, with attackers sharing tools and targeting sites using e-commerce platforms.

"In some cases, the groups are running attack campaigns simultaneously without realising, in an effort to maximise reach while minimising their level of effort," Mickey Alto, research team leader at PerimeterX.

While looking into a recent attack on clothing eCommerce website Sixth June, researchers found the skimming data being posted to the hostname mogento.info, which is also hosting the skimmer. Scanning the web for the data sourced from the same domain, researchers unearthed other sites infected by the same skimmer, including PEXSuperstore.com. 

Further investigation found a second Magecart attacker injecting yet another skimmer and exfiltrating card data to https://assetstorage.net/, a site registered in Russia less than two months ago.

"The two skimmers were completely different from each other in terms of code, obfuscation level and complexity," said Alton. "But, both attacks targeted Magento-based sites and used similar methods of code injection and served malicious first-party code to unsuspecting users."

The Sixth June attacker directly compromised the websites with a decoy snippet that masqueraded as a Google Analytics script. The Sixth June attacker also used a much simpler loader on PexSuperstore when compared to the Sixth June attack, according to researchers.

"The decoy script then pulled in an obfuscated snippet that loads the skimmer from a remote server controlled by the attacker. This direct site compromise is called a first-party attack. The second Magecart attacker also compromised the website, this time with no loader script planted. The attacker modified the first-party script related to the checkout process and added skimming code at the bottom of the original script," said Alton.

Alton added that the discover of multiple simultaneous Magecart attacks show that digital skimming is "rapidly becoming a major threat to global e-commerce businesses".

SentinelOne senior director Patrice Puichau told SC Media UK that whether you’re using Shopify, Magento or some other platform, there should be a range of security plugins available that can fortify your eCommerce platform. 

"Plugins can do specific tasks to beef up your defences like detect bots, blacklist visitors from particular locations and even protect the content on your web pages by preventing things like right-click interactions or drag-and-drop actions," he said.

Yonathan Klijnsma, head of threat research at RiskIQ, told SC Media UK that businesses need a continued focus on visibility into their internet-facing attack surfaces, as well as increased scrutiny of the third-party services used in their web applications. 

"Magecart's recent ravages have shown that current investments in securing corporate infrastructure are ineffective in dealing with browser-based attacks. Companies will continue to be overwhelmed by the scale and tenacity of these kinds of groups, especially as attacks are launched from outside the firewall and the data theft occurs in the user's browser. This is well outside the scope of modern network monitoring tools, requiring a new kind of monitoring that looks that things from the perspective of the end-user," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews