Magecart attacks are dwindling in numbers but increasingly insidious, with researchers highlighting potential server-side blind spots in tracking them.
You don’t hear about it that often Magecart attacks† In recent years, cybersecurity incidents that have made headlines have tended to involve attacks on core utilities and critical services, state-sponsored campaigns, ransomware, massive data breaches, and disruptions on a wider scale than the problems Magecart victims often experience today.
However, this does not mean that the problem has disappeared, and we must not forget that it is not only SMEs that are at risk: major brands have fallen prey to these types of cyber attacks in the past, including British Airways, Newegg and Ticketmaster.
This code, embedded in the payment section of a website, then collects all card details entered by a customer and sends it to an attacker-controlled server.
On June 20, Malwarebytes researcher Jérôme Segura said in a blog post That while Magecart’s attack rates appear to have declined, recent reports suggest the market for stolen credit card information is still considered worthwhile — and a new campaign has shown that some operations still operate “pretty broad infrastructure.”
A Sansec report posted on June 9 revealed a new skimmer domain. on June 12, another researcher tweeted about a host, suspected to be malicious, and its connection to a hacked e-commerce store. This was then confirmed by another researcher†
Malwarebytes has investigated the reports and based on the same autonomous system number used in both cases, the domains have been linked to a larger campaign.
Going back to their files, the cybersecurity researchers linked recent Magecart activity to a 2021 campaign that hosted a skimmer that could detect the use of virtual machines (VMs).
Although the reason is unclear, the VM code has since been removed from the skimmer. In addition, the new malware has different naming schemes. However, there was enough evidence to point Malwarebytes to a series of URLs, some of which were malicious.
The activity of this new campaign is likely to go back to at least May 2020.
One challenge in following the current trajectory of Magecart attacks, however, is an ongoing difference between a lack of visibility on the server side and more transparent scanning tools on the client side.
“If the Magecart threat actors decided to change their operations solely on the server side, the majority of companies, including ours, would lose visibility overnight,” Segura noted. “This is why we often look up to researchers cleaning up the website. If something happened, these guys would probably notice. if we rely on automated crawlers and sandboxes, at least if we don’t make them more robust.”
Previous and related coverage
Do you have a tip? Safe contact via WhatsApp | Signal on +447713 025 499, or via Keybase: charlie0