UPDATE
A faction of the Magecart threat group, Magecart group 12, has been linked to a recent digital card skimmer attack bent on stealing payment data from a slew of websites, including ones selling anything from Olympic tickets to emergency preparation kits.
Over the past few weeks, the group has targeted two ticket sales websites – one called Olympic Tickets is a re-seller of tickets to the upcoming 2020 summer Olympic games and the second, Euro 2020 Tickets, is selling tickets for the 2020 UEFA, a European football championship that takes place in June. Researchers also found the group’s same skimming code (being loaded from a different domain) used to target popular emergency preparedness sites; BePrepared.com, which sells survival kits and gear, and Augason Farms, which sells emergency food supplies.
“These sites were compromised by a skimmer using the domain OpenDoorCDN.com for data exfiltration,” said Jordan Herman, threat researcher with RiskIQ in a Friday analysis. “Research by RiskIQ turned up several other compromised sites – some ranked within the Alexa top-200,000 – loading skimming code from storefrontcdn.com.”
Researchers Max Kersten and Jacob Pimental first became aware of the infection of the Olympic and UEFA ticket sale websites Jan. 17, after finding web skimming script on both of their check-out pages. While it’s unclear how long the malicious script was on these two websites, the researchers estimate it may have been as long as 50 days, since the skimmer for both was first indexed Dec. 3, 2019. The skimmer has since been removed, they said. These sites were loading skimming code from the domain opendoorcdn.com.
Meanwhile, the websites of both BePrepared.com and Augason Farms, which are owned by Blue Chip Group Manufacturing, were infected by the skimming code between Jan. 16 to Jan. 19, RiskIQ researchers said. The skimming code affecting these two sites was loaded from a different domain, storefrontcdn.com. These two sites have also since removed the code. Researchers said they don’t have indication how many people were impacted by this wave of card skimmer attacks; however, BePrepared.com is currently ranked by Alexa at 129,204 globally and 26,238 in the U.S. Augasonfarms.com meanwhile is ranked 100,908 globally and 17,793 in the U.S.
Based on the skimming code and obfuscation techniques used, researchers were able to link this attack back to Magecart Group 12, one of several groups operating under the Magecart umbrella. Magecart, which has made headlines over the past year or so for high-profile breaches of companies like VisionDirect, Ticketmaster and more, is known for its use of web-based, digital card skimmers, Magecart uses scripts injected into websites to steal data that’s entered into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites.
The specific group in question, Magecart Group 12, has also been responsible for attacks on a Paris-based advertising company, Adverline. This most recent campaign utilized similarities to Group 12’s previous skimming attacks, along with some new updates.
New Tactics
In previous campaigns, Group 12 used Base64 encoded checks against the URLs of websites, looking for the words like “checkout” to identify the payment page. However, this technique was dropped in this most recent campaign, and the script instead was loaded via a variable under the alias of “EventsListenerPool.” Herman told Threatpost while he’s not positive why Magecart used this tactic, they may have changed things up to avoid detection.
“What has changed is how [Magecart attackers] get the compromised page to load that obfuscated skimming script. Previously, we would see an obfuscated piece of code on the compromised page that checks the URL for the word ‘checkout’ before loading the skimmer,” RiskIQ told Threatpost. “In these recent compromises, there is no obfuscated code inserted on the compromised page and no URL check, instead, they opted for a simple, non-obfuscated bit of code on the compromised page which caused the above skimming script to load.”
Attackers in this most recent campaign also worked to quickly swap out domains from which they had loaded the skimming code. After researchers had identified OpenDoorCDN.com (registered since January 2019) on compromised websites, the domain was replaced by another, TopLevelStatic.com (registered Feb. 1 through a Chinese registrar), for instance.
“Magecart groups generally use many different domains for their skimmers and data exfiltration,” RiskIQ told Threatpost. “This allows them to avoid detection because it is difficult to blacklist every one of their domains or get them taken down by their hosting providers. This is the first time I have directly observed a group swapping out skimming domains on compromised sites due to a takedown, but I expect it is not uncommon and shows how slippery Magecart can be.”
These domains use the same DNS provider, DNSPod, based in China, researchers said, and both are hosted on NGINX servers and use Let’s Encrypt certs. The IPs connected to TopLevelStatic.com have changed at least once a day, with each server, so far, based in Russia, they said. Skimming code is still being loaded from TopLevelStatic.com, Herman told Threatpost.
“The activity seen here demonstrates that Magecart is a persistent and resilient threat that requires constant vigilance in order to protect against it,” RiskIQ researchers said.
This article was updated at 12pm ET on Friday to clarify that the domain behind the skimming code on the Olympic ticket reseller websites was different than the one affecting the prepping sites.
Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.