Magecart, in operation since 2015, is software used by a range of hacking groups to implant malicious computer code into websites and third-party suppliers of digital systems to steal credit card info as people enter it at a checkout page.
It’s been used in combination with commodity Magento extension attacks and the ‘Shopper Approved’ ecommerce toolkit utilised on hundreds of ecommerce sites, as a well as high profile targeted attacks such as on Newegg, Ticketmaster and British Airways.
According to security researchers from RiskIQ and Trend Micro, cybercriminals of a new subgroup of Magecart, labeled as “Magecart Group 12,” recently surfaced in january and successfully compromised nearly 277 different e-commerce websites in less than a week by using supply-chain attacks. Supply Chain Attacks involve a third-party component on a web site such as shopping cart widgets. RiskIQ, has been tracking the activity of groups using Magecart for several years.
The digital theft of credit card info, known as skimming has seen a change of tactics in recent campaigns. Typically, the Magecart hackers compromise e-commerce sites and insert malicious JavaScript code into their checkout pages that silently captures payment information of customers making purchasing on the sites and then send it to the attacker’s remote server.
However, the researchers from the two firms today revealed that instead of directly compromising targeted websites, the Magecart Group 12 hacked and injected base64 encoded malicious code into third-party Java libraries, which is decoded at runtime and injected into the page. It is used by e-commerce websites to serve advertisements.
The third-party library targeted by Magecart Group 12 is by French online advertising company Adverline, The attackers are said to have compromised a content delivery network for ads run by the company to include a stager containing the skimmer code.
This means that any website loading script from the ad agency’s ad tag would inadvertently load the digital skimmer for visitors.
“Group 12 built out its infrastructure in September 2018; domains were registered, SSL certificates were set up through LetsEncrypt, and the skimming backend was installed. Group 12 doesn’t just inject the skimmer code by adding a script tag—the actors use a small snippet with a base64 encoded URL for the resource which is decoded at runtime and injected into the page,” explained Magecart in a blog post.
Join Our Online Security and Hosting Newsletter Today
