Magecart Serves Up Card Skimmers on Restaurant-Ordering Systems

300 restaurants and at least 50,000 payment cards compromised by two separate campaigns against MenuDrive, Harbortouch and InTouchPOS services.

Magecart campaigns have been skimming payment-card credentials of unsuspecting customers using three online restaurant-ordering systems, affecting about 300 restaurants that use the services and compromising tens of thousands of cards so far, researchers have found.

Two separate ongoing Magecart campaigns have injected e-skimmer scripts into the online ordering portals of restaurants using three separate platforms: MenuDrive, Harbortouch, and InTouchPOS, researchers from Recorded Future revealed in a blog post this week. One appears to have begun last November, and the other in January, they said.

[FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.]

“Across all three platforms, at least 311 restaurants have been infected with Magecart e-skimmers, a number that is likely to grow with additional analysis,” researchers from Recorded Future’s Insikt Group wrote in the report.

Magecart is a general term for cybercriminals who use card-skimming technology to steal credentials from payment cards used at point-of-sale (POS) or e-commerce systems. They typically end up selling these stolen credentials on hacker forums on the dark web.

The infections on the restaurants’ websites affected in the two campaigns observed by Recorded Future “often result in the exposure of customers’ payment card data and PII (their billing information and contact information),” researchers noted.

So far, researchers have identified more than 50,000 compromised payment card records from the campaigns posted for sale on the dark web, and they expect more stolen data to be posted in the future, they said.

MagecartCampaign Specifics

Researchers found that MenuDrive and Harbortouch were targeted by the same Magecart attacker, a campaign that resulted in e-skimmer infections on 80 restaurants using MenuDrive and 74 using Harbortouch.

“This campaign likely began no later than Jan. 18, 2022, and as of this report, a portion of the restaurants remained infected,” they noted in the post. However, the malicious domain used for the campaign, which researchers identified as authorizen[.]net, has been blocked since May 26, they said.

A separate and unrelated Magecart campaign targeted InTouchPOS even earlier, beginning no later than Nov. 12, 2021, researchers said. In that one, 157 restaurants using the platform were infected by e-skimmers, a portion of which remain this way, and the malicious domains associated with the campaign–bouncepilot[.]net and pinimg[.]org–remain active, they said.

Moreover, the tactics and indicators of compromise associated with the campaign targeting InTouchPOS are similar to those of other cybercriminal activity targeting 400 e-commerce websites that deal in different types of transactions since May 2020, according to Recorded Future. More than 30 of the affected sites in the related campaign remain compromised as of June 21, researchers said.

Low-Hanging Fruit

While centralized restaurant ordering platforms like Uber Eats and DoorDash dominate the market for such systems and are far more well-known than the ones affected by the campaigns, the hundreds of smaller platforms on the internet that serve local restaurants remain a valuable target for cybercriminals, researchers noted.

“Even small-scale platforms may have hundreds of restaurants as clients,” they said, which means targeting a smaller platform can expose scores of online transactions and payment-card info. Indeed, these platforms serve as low-hanging fruit for attackers, who tend to “seek the highest payout for the least amount of work,” researchers noted.

E-commerce sites in general face persistent challenges in securing their sites, and often contain vulnerable code from third-party or supply-chain partners that is easy for attackers to compromise and can have downstream effects, noted one security professional.

“This is another example of the web attack lifecycle–the cyclical and continuous nature of cyberattacks–where a data breach on one site, perhaps as a result of a Magecart attack, fuels carding, credential stuffing or account take-over attacks on another site,” Kim DeCarlis, chief marketing officer at cybersecurity company PerimeterX, wrote in an email to Threatpost.

[FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.]

Suggested articles