Virus Bulletin 2019: Magecart Infestations Saturate the Web

magecart size of threat virus bulletin 2019

There are dozens of known groups, hundreds of C2 servers and millions of victim websites.

LONDON — Magecart, the digital card-skimming collective, is now so ubiquitous that its infrastructure is flooding the internet. In a paper presented at Virus Bulletin 2019 this week in London, Jordan Herman and Yonathan Klijnsma of RiskIQ said that there are now 573 known C2 domains for the group, with close to 10,000 hosts actively loading those domains.

Magecart – which is an umbrella group encompassing several different affiliates all using the same modus operandi – injects malicious JavaScript that steals the data shoppers enter into online payment forms, typically on checkout pages. In all, RiskIQ has detected almost 2 million (2,086,529) instances of Magecart’s javaScript binaries, with over 18,000 hosts directly breached.

And, adding insult to injury, because Magecart skimmers stay on websites for so long, if not indefinitely, they can be a second-hand boon to threat actors, researchers said: Markets for skimmers and pre-breached websites are making the barriers to entry extremely low for new Magecart actors.

“Large portions of malicious Magecart domains have been taken up for sinkholing by various parties,” explained Herman and Klijnsma. “However, some of them are kicked offline by the registrar, put on hold and eventually released back into a pool of available domains. RiskIQ researchers have noticed bad guys taking advantage of these domains coming back up for sale and buying them to continue skimming, or for other purposes, such as monetizing traffic through advertising or even serving malware.”

According to RiskIQ, Magecart has been active for nearly 10 years—RiskIQ’s earliest Magecart observation occurred on August 8, 2010. In that time, two different approaches have developed for attacking targets — gaining access to websites via a direct compromise, or via third-party services in supply-chain attacks.

Magecart gets its name from primarily targeting the Magento third-party shopping software – it’s a combination of “Magento” and “shopping cart.” The platform remains the lifeblood of many Magecart groups today: There are, according to RiskIQ, 9,688 vulnerable Magento hosts out there today.

Supply-chain attacks, in which Magecart will typically target third parties that supply code to websites, are responsible for the largest spikes in RiskIQ Magecart detections, the firm noted. For instance, this was the approach taken in the well-publicized Ticketmaster attack that happened in July 2018. A Magecart group attacked website analytics providers SociaPlus and Inbenta in that instance, gaining access to over 800 e-commerce sites in the process and accessing an enormous victim pool.

“Suppliers can include vendors that integrate with sites to add or improve site functionality or cloud resources from which websites pull code, such as Amazon S3 buckets,” according to the research. “These third parties integrate with thousands of websites, so when one supplier is compromised, Magecart has effectively breached thousands of sites at once.”

On the S3 front, an active campaign first spotted in April 2019 has seen Magecart automate the process of compromising websites with skimmers by actively scanning for misconfigured Amazon S3 buckets. So far, the group has compromised a vast collection of S3 buckets to impact well over 17,000 domains, according to the RiskIQ report.

In all, it’s a good reminder to web administrators to review the code on their sites for suspicious artifacts and unauthorized changes.

“Magecart takes advantage of online businesses’ general lack visibility into their web-facing attack surfaces,” according to the report. “In many cases, the victims have no idea the JavaScript on their site has been changed, allowing the malicious code to exist there indefinitely. In the case of supply-chain attacks, it’s common a victim does not know that the compromised third-party JavaScript on their site is dangerous — or that they’re even running the code from the breached supplier.”

What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.

 

Suggested articles