Magecart Group Targets Shopper Approved in Latest Attack

The breach also impacted hundreds of Shopper Approved’s customers.

The notorious Magecart threat group has struck again, this time attacking Shopper Approved – a piece of third-party software that provides rating seals for online stores. The attack consequently put payment data from multiple online stores at risk.

It’s only the most recent attack for Magecart, a notorious threat group which has been behind several large-scale breaches, including those of Ticketmaster and British Airways.

“Similar to the attack against Ticketmaster, this attack did not impact a single store directly,” said RiskIQ researchers in a Tuesday post about the breach. “Instead, it attempted to skim payment information from multiple online stores at once by compromising a widely used third party.”

Magecart, in operation since 2015, has been blamed for an array of recent breaches. The group primarily utilizes digital card skimmers, which are scripts injected into websites to steal data that’s entered into online payment forms on e-commerce websites. This can be done directly, or through compromised third-party suppliers used by these sites, as is the case with Shopper Approved.

It’s a digital variant of traditional card skimmers— which are devices hidden within credit-card readers on ATMs, fuel pumps and other machines to steal payment data.

“The skimmer itself is built to skim any form on a page when it is submitted (input fields, select drop-downs, text areas, check boxes and buttons specifically),” Yonathan Klijnsma, threat researcher with RiskIQ told Threatpost. “However, they filter the URL the victim is on to make sure it is a checkout page. This filters what they are skimming down to payment information.”

On Sept. 15, RiskIQ researchers – who have been specifically tracking the group – said they received a notification that Magecart e-commerce data-stealer script had been discovered yet once again in a domain. When they opened the page and looked at the crawl data, they saw the Magecart skimmer in the code.

The skimmer was added to a script that normally ensures the functionality of getting the Shopper Approved site seal on sites, Klijnsma told Threatpost. It was active between Sept. 15 and 17, when it was removed, he said.

RiskIQ did not name specific customers impacted, but did say that Shopper Approved has around 7,000 customers.

“However, what is important to note is that not all customers were affected directly—only a few hundred,” said Klijnsma. “The reason for this is that the Shopper Approved script wasn’t active on the checkout pages for the majority of their customers, which is a good practice. There is no need for it to be on the checkout page.”

In an emailed comment to Threatpost, a Shopper Approved spokesperson said that the company immediately initiated an internal investigation and took steps to remediate the issue.

The incident only affected a small portion of our customers that use the Shopper Approved seal on their website, and we have reached out directly to those we believe may have been affected,” the spokesperson said. “The security of our systems and customers is a top priority for Shopper Approved, and we regret any inconvenience this incident may have caused.”

Magecart has been active over the past month. In September, a British Airways breach of up to 380,000 payment cards, has been attributed to the infamous Magecart threat actor.

Days after Magecart adversaries were blamed for the British Airways breach, the threat group was also identified as behind hacking two additional victims this week – including customer engagement tool Feedify and boutique deal company Groopdealz.

The attacks are getting more and more traction as the group learns how to become more effective, RiskIQ researchers said. For instance, while initial attacks involved low-tier Magento stores, later attacks targeted services supplying functionality to e-commerce websites to increase their reach and level of victims.

There are also subsets within Magecart.

“What is good to note is that Magecart is the umbrella name for multiple groups, currently seven that we are actively tracking,” Klijnsma said. “The group behind this breach was also behind Feedify and Ticketmaster but it was not behind the British Airways breach. We name this group simply ‘Magecart Group 5.’ Group 6 was responsible for British Airways and Newegg f.e.

Suggested articles