Magecart Skimming Tactics Evolve – DataBreachToday
Malwarebytes Describes Updated Attack Techniques
Magecart Group 12, known for skimming payment cards from e-commerce websites using JavaScript skimmers, is using an updated attack technique to gain remote administrative access to sites that run an older version of Adobe’s Magento software, according to an analysis by Malwarebytes Labs’ Threat Intelligence Team.
See Also: Webinar | Software Security: Prescriptive vs. Descriptive
The latest incarnation of an umbrella group of least seven distinct cybercriminal groups, Magecart Group 12, which was involved in another hacking spree last fall, is using an updated technique that uses PHP web shells, known as Smilodon or Megalodon, Malwarebytes says. The web shells dynamically load JavaScript skimming code via server-side requests into online stores to stay undetected by client-side security tools so they can then steal payment information.
In previously reported Magecart-style attacks, a malicious skimming script was injected into payment checkout pages, with credit card and personal information skimmed off and sent to a remote server, according to an analysis by Trend Micro.
“We discovered several dozen compromised websites with exactly the same pattern. All of them are running Magento version 1,” Jérôme Segura, director of threat intelligence at Malwarebytes, told Information Security Media Group.
“We know that to skim credit card data, attackers can do it either client-side using JavaScript, or server-side using PHP. However, there are hybrid versions, and this is the case here too,” Segura says.
In September 2020, researchers warned that about 2,000 sites that use the 12-year-old Magento 1 e-commerce platform had been targeted by JavaScript skimmers designed to steal payment card data during the online checkout process (see: Payment Card Skimming Hits 2,000 E-Commerce Sites).
Imitating Image File
During its recent analysis of websites running Magento 1, Malwarebytes researchers observed new PHP web shells disguised as a favicon – a url or shortcut icon, which they linked to Magento 12. The file named Magento.png attempts to pass itself off as “image/png” but does not have the proper PNG format for a valid image file.
“The way it is injected in compromised sites is by replacing the legitimate shortcut icon tags with a path to the fake PNG file,” Segura says. “Unlike previous incidents where a fake favicon image was used to hide malicious JavaScript code, this turned out to be a PHP web shell. However, in its current implementation, this PHP script won’t be loaded properly.”
Web shells are a type of malware encountered on websites that allow an attacker to maintain remote access and administration. “They are typically uploaded onto a web server after exploitation of a vulnerability (e.g., SQL injection),” Segura notes.
Malwarebytes says that although there are several ways to load skimming code, the most common one is by calling an external JavaScript resource. Whenever an online customer visits an e-commerce site, the browser makes a request to a domain hosting the skimmer.
Segura adds: “Online shops can detect this type of malware with a server-side scanner, while on the client-side, you would need to have access to the DOM to detect the malicious code being injected. One option here is to use a browser extension with heuristic capabilities.”
DOM stands for Document Object Model, which is a cross-platform and language-independent interface that treats an XML or HTML document as a tree structure wherein each node is an object representing a part of the document.
Magento Widely Used
Adobe Magento is one of the world’s most widely used e-commerce platforms, with about 250,000 users, according to Adobe’s website.
Adobe reported in November 2019 that a vulnerability in the Magento e-commerce marketplace was exploited by a third party to access account information (see: Magento Marketplace Suffers Data Breach, Adobe Warns).