Magecart attacks are still there. And they’re getting quieter


Image: Steven Puetzer/Getty Images

Magecart attacks are dwindling in numbers but increasingly insidious, with researchers highlighting potential server-side blind spots in tracking them.

You don’t hear about it that often Magecart attacks† In recent years, cybersecurity incidents that have made headlines have tended to involve attacks on core utilities and critical services, state-sponsored campaigns, ransomware, massive data breaches, and disruptions on a wider scale than the problems Magecart victims often experience today.

However, this does not mean that the problem has disappeared, and we must not forget that it is not only SMEs that are at risk: major brands have fallen prey to these types of cyber attacks in the past, including British Airways, Newegg and Ticketmaster.

TO SEE: Ransomware Attacks: Here’s the Data Cybercriminals Really Want to Steal

Magecart describes cyber attacks that take advantage of a website’s e-commerce capabilities. Also known as card skimming attacks, threat actors will often exploit a vulnerability in a website’s backend content management system or third-party dependencies and covertly implant malicious JavaScript code.

This code, embedded in the payment section of a website, then collects all card details entered by a customer and sends it to an attacker-controlled server.

On June 20, Malwarebytes researcher Jérôme Segura said in a blog post That while Magecart’s attack rates appear to have declined, recent reports suggest the market for stolen credit card information is still considered worthwhile — and a new campaign has shown that some operations still operate “pretty broad infrastructure.”

A Sansec report posted on June 9 revealed a new skimmer domain. on June 12, another researcher tweeted about a host, suspected to be malicious, and its connection to a hacked e-commerce store. This was then confirmed by another researcher

Malwarebytes has investigated the reports and based on the same autonomous system number used in both cases, the domains have been linked to a larger campaign.

Going back to their files, the cybersecurity researchers linked recent Magecart activity to a 2021 campaign that hosted a skimmer that could detect the use of virtual machines (VMs).

Although the reason is unclear, the VM code has since been removed from the skimmer. In addition, the new malware has different naming schemes. However, there was enough evidence to point Malwarebytes to a series of URLs, some of which were malicious.

The activity of this new campaign is likely to go back to at least May 2020.

TO SEE: Why cloud security matters and why you can’t ignore it

One challenge in following the current trajectory of Magecart attacks, however, is an ongoing difference between a lack of visibility on the server side and more transparent scanning tools on the client side.

“If the Magecart threat actors decided to change their operations solely on the server side, the majority of companies, including ours, would lose visibility overnight,” Segura noted. “This is why we often look up to researchers cleaning up the website. If something happened, these guys would probably notice. if we rely on automated crawlers and sandboxes, at least if we don’t make them more robust.”

Last year, Cloudflare launched a cybersecurity offering designed to tackle Magecart-like attacks. Cloudflare’s Page Shield, a client-side solution, is now available Script Monitor, which monitors third-party JavaScript dependencies and logs any changes to the code over time. This can flag organizations for malicious add-ons added to their e-commerce services.

Previous and related coverage

Do you have a tip? Safe contact via WhatsApp | Signal on +447713 025 499, or via Keybase: charlie0

Leave a Comment

Your email address will not be published.