Researchers have been monitoring a campaign dubbed Magecart that compromised many ecommerce websites to steal payment card and other sensitive data.
Researchers have been monitoring a campaign in which cybercriminals compromised many e-commerce websites in an effort to steal payment card and other sensitive information provided by their customers.
Security experts from cloud-based security solutions provider RiskIQ have been monitoring a hacking campaign, dubbed Magecart, in which crooks hacked many e-commerce websites in an effort to steal payment card and other sensitive customer data.
The peculiarity of the Magecart campaign is that threat actors were injecting a keylogger directly into the target website.
As explained in the analysis, web-based keylogger injection attacks are still little-known, even though they’ve been occurring for a long time.
“Most methods used by attackers to target consumers are commonplace, such as phishing and the use of malware to target payment cards. Others, such as POS (point of sale) malware, tend to be rarer and isolated to certain industries. However, some methods are downright obscure—Magecart, a recently observed instance of threat actors injecting a keylogger directly into a website, is one of these.” reads the analysis published by RiskIQ.
The Magecart campaign was first spotted in March 2016, but it is likely it was started before and it is still active today.
Researchers observed a peak in the Magecart campaign in June, in conjunction with the adoption of an Eastern European bulletproof hosting service.
The attackers targeted several e-commerce platforms including Magento, Powerfront CMS and OpenCart. The researcher documented attacks against several payment processing services, including Braintree and VeriSign.
Experts at RiskIQ have identified more than 100 online shops compromised as part of the Magecart campaign, including e-commerce platforms of popular book publishers, fashion companies, and sporting equipment manufacturers. The cybercrooks even attacked the gift shop of a UK-based cancer research organization.
“Formgrabber/credit card stealer content is hosted on remote attacker-operated sites, served over HTTPS. Stolen data is also exfiltrated to these sites using HTTPS.” states the analysis.
Once data is captured by the web-keylogger it is sent to the C&C server over HTTPS.
The web-keylogger is loaded from an external source instead of injecting it directly into the compromised website, simplifying the malware maintenance.
The researchers observed a continuous improvement of the threat over time as detailed by RiskIQ:
Testing and capabilities development
Increased scope of targeting payment platforms
Development and testing of enhancements
Addition of obfuscation to hinder analysis and identification
Attempts to hide behind brands of commonplace web technologies to blend in on compromised sites
For further information of the Magecart campaign give a look at the datailed report.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.