Magecart Goes Server-Side in Latest Tactics Changeup

The latest Magecart iteration is finding success with a new PHP web shell skimmer.

Magecart Group 12, known for skimming payment information from online shoppers, was fingered for last September’s gonzo attack on more than 2,000 e-Commerce sites, and now researchers have issued a report explaining how they did it, detailing a new technical approach. The skimmers are still “very active,” according to the analysis.

The credit-card skimmer group is using PHP web shells to gain remote administrative access to the sites under attack to steal credit-card data, rather than using their previously favored JavaScript code, which they simply injected into vulnerable sites to log the information keyed into online checkout sites, according to Malwarebytes Labs’ Threat Intelligence Team.

Magecart 12, the latest incarnation of the web skimmer group, continues to launch attacks with malware created to mimic a favicon, also known as a “favorite icon” or “shortcut icon.”

“The file named Magento.png attempts to pass itself as ‘image/png’ but does not have the proper .PNG format for a valid image file,” the report said. “The way it is injected in compromised sites is by replacing the legitimate shortcut icon tags with a path to the fake .PNG file.”

But in this instance, the phony favicon is used to load a PHP web shell. The web shell is harder to detect and block, the report adds, because it injects the skimmer code on the server-side, rather than the client side.

“As such, a database blocking approach would not work here unless all compromised stores were blacklisted, which is a catch-22 situation,” the report said. “A more effective, but also more complex and prone to false positives approach, is to inspect the DOM in real time and detect when malicious code has been loaded.”

DOM is short for Document Object Model, which is an API for HTML and XML documents.

Despite the change, the group is still aimed at achieving the same goal: Injecting card skimming malware to steal customer payment-card details.

“Digital skimming or e-skimming attacks are a lucrative source of revenue for cybercriminals as stolen credit-card numbers are worth millions of dollars on the Dark Web,” “Avishai Shafir from PerimeterX said, via email.

Magecart Continues to Evolve

Magecart continues to evolve its tactics. Last month, researchers from Sucuri discovered that Magecart attackers were saving their stolen credit-card data in .JPG files until they could be exfiltrated from compromised e-Commerce sites running Magento 2.

“The creative use of the fake .JPG allows an attacker to conceal and store harvested credit-card details for future use without gaining too much attention from the website owner,” Sucuri’s Luke Leal wrote about the finding, in March.

And, back in December, Magecart attackers hijacked PayPal transactions during the holiday shopping season.

Experts anticipate that Magecart will continue to evolve and improve their attacks as long as their cybercrimes keep turning a profit.

“The latest techniques observed in these recent Magecart attacks show how the groups themselves are staying innovative by using previous techniques with new coding and tactics,” Sean Nikkel, senior cyber threat intel analyst at Digital Shadows told Threatpost. “The most recent findings highlight how difficult it may be for defenders to detect skimming activity itself without employing additional code reviews or other types of blocking and inspection. ”

Protecting Against Magecart

Researchers have long implored online retailers to update their content management systems (CMS) — known vulnerabilities in Magento are the group’s favorite way to compromise e-Commerce sites.

“Unpatched CMS are the reliable route to infection for any cybercriminal gang, including the Magecart Group,” Dirk Schrader with New Net Technologies said via email.

Code reviews, pen testing, and regular updates and patching are all key to stopping card skimmers, experts added.

“The easiest ways to defend against attacks like these are through patching and staying current with updates, conduct regular code reviews, application pen testing, PCI-level audits, and audits of users and activity,” Nikkel added. “Companies that decide to go the CMS route, such as Magento or even WordPress, Drupal and other similar applications, should also ensure that any site plugins remain current. Most of the attacks by Magecart groups depend on older, vulnerable versions of both to work, but staying current and reviewing code can help mitigate the risk presented by these campaigns.”

Third-party payment processors are something else that e-Commerce sites might want to consider, John Bambenek, threat intelligence advisor for Netenrich, told Threatpost in reaction to the Magecart discovery.

“Websites that process payments are obviously lucrative targets for attackers,” Bambenek wrote in an email. “This is why it’s important for small companies that are not staffed to protect themselves should look hard at using external payment processors.”

For online retailers with staff available, Bambenek added “This compromise can be detected by looking for communication initiated by the webserver and attempting to connect to a remote system on port 80, and such traffic is unencrypted to perimeter monitoring should be able to see the data exfiltration as well.”

Download our exclusive FREE Threatpost Insider eBook, 2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!

Suggested articles