In an interesting development on the financial cybercrime scene, different Magecart groups have been spotting stepping over each other and attacking the same sites.
Magecart is an umbrella term encompassing several different threat groups who all use the same modus operandi: They compromise websites built on the Magento e-commerce platform in order to inject card-skimming scripts on checkout pages, stealing unsuspecting customers’ payment card details and other information entered into the fields on the page.
According to research from PerimeterX, multiple Magecart attacks are skimming credit cards from sites at the same time. These don’t seem to be coordinated, according to the firm, given that each of the attacks were different in terms of the techniques used to compromise the target retailers.
Ido Safruti, co-founder and CTO of PerimeterX, said in an email interview that the presence of multiple skimmers indicates that the Magecart groups are less affiliated with each other than many believe.
“From we’ve learned so far, this is a cybercrime-as-a-service operation where multiple groups operate and breach websites, Magento-based and others, and they use different skimming kits purchased on the Dark Web,” he told Threatpost. “Cybercriminals are taking advantage of any new opportunity. When a specific type of attack has been published or exposed and studied, many crime groups will try and take advantage of the new attack and the new techniques used in it.”
Multiple Skimmer Discovery
In researching recent Magecart attacks on clothing e-shop Sixth June that came to light last week, PerimeterX researchers found the Sixth June skimmed data being posted to a domain called mogento[dot]info, which was also hosting the skimmer. Scanning the web for other sites posting data to that same domain uncovered several other infected sites, including tubing-and-valve specialist PEXSuperstore.com. Further investigation showed that PEXSuperstore was also infected with a second Magecart skimmer — only this one was exfiltrating card data to https://assetstorage[dot]net/PEXSuperstore.com.
“The two skimmers were completely different from each other in terms of code, obfuscation level and complexity,” explained PerimeterX research lead Mickey Alton, in a posting on Monday. “But, both attacks targeted Magento-based sites and used similar methods of code injection, and served malicious first-party code to unsuspecting users.”
More specifically, the Sixth June attacker directly compromised the PEXSuperstore website (e.g., used “first-party code”), with a decoy code snippet that masqueraded as a Google Analytics script. The decoy script then pulled in an obfuscated snippet that loaded the skimmer from a remote server controlled by the attacker. The second Magecart attacker on the other hand compromised the website by simply modifying the website’s own script related to the checkout process, injecting skimming code at the bottom of the original script.
“This skimmer was on the checkout page sniffing users’ [personally identifiable information] PII data and sending post requests to assetstorage[dot]net,” wrote Alton. “When placing an order, the compromised first-party checkout script is called and executes the skimmer….we can only surmise that the web server security controls were bypassed to make changes to the website.”
The second skimmer host,assetstorage[dot]net, was found to be related to a much larger campaign, with the same MO used to target sportswear giant UmbroBrasil and other lesser-known websites.
It also appears that the double-dipping isn’t intentional; PerimeterX researchers surmised that the Magecart groups are likely running attack campaigns simultaneously without realizing it.
“In recent years the cybercrime world has evolved much like the software and cloud world has evolved with many groups offering services to perform specific tasks – like infecting a server, loading a payload, or providing a specific payload to carry an attack,” Safruti told Threatpost. “This is why we see more attacks using identical mechanisms and potentially multiple attackers infecting the same breached site(s), similar to the fact that many competing startups may be running their services on the same cloud vendor, and using the same open-source libraries.”
Magecart, in operation since 2015, is a collection of groups that have been blamed for an array of high-profile breaches – from Ticketmaster to British Airways. Skimmers be injected directly into websites (as is the case with First Aid Beauty), or through compromised third-party suppliers used by sites.
More recently, in August it was disclosed that more than 80 global eCommerce sites were actively compromised by Magecart groups, while a September report found that a faction of the Magecart threat group is testing code that targets routers used to provide free or paid Wi-Fi services in public spaces and hotel.
What are the top mistakes leading to data breaches at modern enterprises? Find out: Join an expert from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.