Researchers have been monitoring a campaign in which cybercriminals compromised many e-commerce websites in an effort to steal payment card and other sensitive information provided by their customers.
Security experts from cloud-based security solutions provider RiskIQ have been monitoring a hacking campaign, dubbed Magecart, in which crooks hacked many e-commerce websites in an effort to steal payment card and other sensitive customer data.
The peculiarity of the Magecart campaign is that threat actors were injecting a keylogger directly into the target website.
As explained in the analysis, web-based keylogger injection attacks are still little-known, even though they’ve been occurring for a long time.
“Most methods used by attackers to target consumers are commonplace, such as phishing and the use of malware to target payment cards. Others, such as POS (point of sale) malware, tend to be rarer and isolated to certain industries. However, some methods are downright obscure—Magecart, a recently observed instance of threat actors injecting a keylogger directly into a website, is one of these.” reads the analysis published by RiskIQ.
The Magecart campaign was first spotted in March 2016, but it is likely it was started before and it is still active today.
Researchers observed a peak in the Magecart campaign in June, in conjunction with the adoption of an Eastern European bulletproof hosting service.
The attackers targeted several e-commerce platforms including Magento, Powerfront CMS and OpenCart. The researcher documented attacks against several payment processing services, including Braintree and VeriSign.
Experts at RiskIQ have identified more than 100 online shops compromised as part of the Magecart campaign, including e-commerce platforms of popular book publishers, fashion companies, and sporting equipment manufacturers. The cybercrooks even attacked the gift shop of a UK-based cancer research organization.
“Formgrabber/credit card stealer content is hosted on remote attacker-operated sites, served over HTTPS. Stolen data is also exfiltrated to these sites using HTTPS.” states the analysis.
Once data is captured by the web-keylogger it is sent to the C&C server over HTTPS.
The web-keylogger is loaded from an external source instead of injecting it directly into the compromised website, simplifying the malware maintenance.
The researchers observed a continuous improvement of the threat over time as detailed by RiskIQ:
For further information of the Magecart campaign give a look at the datailed report.
(Security Affairs – Magecart, e-commerce)