New Threat Research: MalSync Teardown: From DLL Hijacking to PHP Malware for Windows  

Read Threat Research

Search

New Magecart Attack Against 19 E-Commerce Sites

Magecart Group 7: Researchers at RiskIQ have outlined a new Magecart campaign they found affecting at least 19 e-commerce sites, which they have attributed to Magecart Group 7. Magecart is the umbrella term for multiple threat actors that compromise e-commerce websites to steal customer credit card data. Magecart attacks have been on a rising trend in recent months. The newest attack campaign from the group took only 22 lines of code to compromise the various websites and gain real-time access to sensitive data including credit card numbers. The new code, dubbed MakeFrame, injects HTML iframes into the webpages to steal the payment data as it is being entered. MakeFrame uses obfuscated code to avoid detection. Inside the skimming code, a blob of hex-encoded array of strings and obfuscated code is included between benign code to avoid detection. In a twist by the threat actor, the obfuscated code is much more difficult to analyze due to a check of the function _0x5cc230[‘removeCookie’] that ensures the code is not altered. This prevents researchers from altering the code to make it easier to read and understand. When the check passes, the code gets reconstructed by decoding obfuscated strings. Once the skimmer is added to the page, iframes create payment forms that trick users into believing they are entering their sensitive information into the website, but instead the form is sending the information to the threat actor. Some of the compromised websites are used to receive stolen data from other compromised sites, while others are configured to send the stolen data to a server at IP address 163.172.136[.]230, owned by the French cloud computing company Online S.A.S.

Analyst Notes

RiskIQ attributed MakeFrame to Group 7 due to their approach of using compromised websites to host skimming code and using other compromised websites to send the stolen data to. Magecart attacks have been a growing cyber-crime throughout the world because of the financial gain that a threat actor can yield from these attacks. Businesses that operate e-commerce websites should closely monitor web servers for signs of unusual access or attacker behaviors, as well as regularly scanning all JavaScript code used on checkout pages for unauthorized changes. JavaScript code hosted on external servers can be protected using JavaScript sandbox technologies that limit the ability of the third-party code to access payment form input fields. Configuring the site’s content security policy to prevent communication with unauthorized third-party web servers can also be a useful part of a defense-in-depth approach to protect data from being sent to other sites, although that doesn’t help if the compromised site itself is being used to receive and store the stolen data. Consumers can protect themselves by being vigilant when online shopping. Using a one-time-use or virtual credit card provided by a third company or a bank ensures that people do not give away their actual credit card if they happen to fall victim to an e-skimmer. More information can be read here: https://thehackernews.com/2020/04/magecart-digital-skimmer.html and the detailed report from RiskIQ here: https://www.riskiq.com/blog/labs/magecart-makeframe/