Dozens of online stores were hacked by a new Magecart group, and the list of victim websites was inadvertently leaked. The threat actors have access to the websites and used an unnamed Remote Access Trojan (RAT) to maintain persistence in their victims’ network. According to researchers at Sansec, a company focused on protecting e-commerce companies, the threat actors made a mistake in their dropper’s code and stored a list of all their victims within the code. Sansec analyzed a copy of the RAT dropper and found the list of 41 websites. According to the researchers, it is likely the author of the malware made this mistake because they have little experience with PHP code. The RAT had a few interesting features including evasion techniques designed to camouflage the RAT as a DNS or an SSH server daemon, so it does not stand out in the server’s process list. The malware also runs in sleep mode except for once a day when it becomes active to connect to the Command and Control (C2) server and ask for commands.
Magecart attacks continue to evolve as threat actors identify new ways to steal credit card information. With the increase in online shopping, new threat actors will begin to find alternate ways to steal credit cards from online shops evading detections. To prevent fraudulent charges by Magecart or any other credit card thieves, consumers should sign up for one-time use virtual credit cards which can be purchased through verified services or some banks. These services allow the consumer to purchase a pre-loaded credit card that can only be used once or used multiple times but has a balance of zero until the money is added to it. By keeping the balance at zero, if the card were to be compromised, an attacker would not be able to purchase anything with the number. One-time use cards provide the buyer with a credit card number that expires after the purchase. Though these cards may seem like a hassle for many, they do not take that much time to register for and will relieve consumers of the stress that could be caused by having a card compromised.
More can be read here: https://www.bleepingcomputer.com/news/security/stealthy-magecart-malware-mistakenly-leaks-list-of-hacked-stores/