Days after Magecart adversaries were blamed for the British Airways breach, the threat group was also identified as behind hacking two additional victims this week – including customer engagement tool Feedify and boutique deal company Groopdealz.
The hack of Feedify was disclosed after Twitter user “Placebo” posted Tuesday that Magecart was seen attacking the Feedify platform – and it has since then been removed from the tool.
Magecart on Feedify. A customer engagement tool. According to there website 4000+ website use there tooling/code. Fixed today after I notified them.@ydklijnsma @GossiTheDog pic.twitter.com/K2czXkUoHD
— Placebo (@PlaceboRulez) September 11, 2018
Researchers Yonathan Klijnsmaand Kevin Beaumontboth confirmed the hack on Twitter. According to Klijnsma, the platform has been impacted by Magecart since Aug. 17, and the bad code popped up again after being shut down multiple times – suggesting that the campaign is ongoing.
The bad actor essentially embedded bad code into a Feedify-hosted JavaScript library. When a visitor goes to that website, the Magecart group’s malware will then collect personal details entered on the site – such as payment card information.
According to Feedify, 4,000 websites use its code. Feedify did not respond to multiple requests for comment from Threatpost.
In a separate Tweet on Thursday, Klijnsma said that the Magecart skimmer impacted boutique deals company Groopdealz, a fashion and decor website that he said has been compromised since August 5.
“That’s more than a month now,” he said in a Tweet. “Script was added manually on the server, the website already used a legitimate jQuery script from a normal trusted CDN.”
.@Groopdealz_ has been compromised with the Magecart skimmer since: Sun, 05 Aug 2018 21:17:39 GMT
That's more than a month now. Script was added manually on the server, the website already used a legitimate jQuery script from a normal trusted CDN. https://t.co/bupuiETJvp
— Yonathan Klijnsma (@ydklijnsma) September 13, 2018
Both disclosed hacks come days after it was revealed that Magecart was behind the British Airways breach last week that compromised up to 380,000 payment cards.
Researchers at RiskIQ released findings in a post Monday that show that the Magecart group added suspicious scripts on the baggage claim information page of the British Airways’ website – which then collected data from visitors and sent it back to the threat actors’ server.
Magecart is known for its use of web-based card skimmers (digital card skimmers) since 2016, which use scripts injected into websites to steal data that’s entered into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites.
It’s essentially a digital variety of a traditional method criminals used – known as card skimmers— which are devices hidden within credit card readers on ATMs, fuel pumps and other machines to steal credit card data for the criminal to later collect.
“Magecart since 2017 has been running a campaign very similar to what happened to British Airways,” Klijnsma told Threatpost. “They’ve been setting up infrastructure to mimic victims or they would simply mimic ad or analytics providers to blend in. The British Airways attack was just an extension of that attack in our eyes.”
The Magecart group, in operation since 2015, has been blamed for an array of recent breaches, including one of the most prolific card-stealing operations seen in the wild to date, as well as a massive breach of Ticketmaster earlier in the year.