Share this article on:
A new Magecart-style skimming campaign has been spotted in the wild by security researchers at Akamai.
Magecart attacks go back to a 2015 campaign attributed to the Magecart hacking group, which targeted the Magento e-commerce platform. Typically such attacks involve three stages — the initial infiltration of the site, implantation of code or fake payment forms, and finally, data exfiltration when the captured credit card data and other information is stolen.
What makes this new campaign unique is that the threat actor first sets up its command and control infrastructure on otherwise legitimate sites, often taking advantage of known vulnerabilities. By doing this, the threat actors can host their malicious codes on sites that are likely trusted by the online retailers targeted in the next phase of the attack.
“Rather than using the attackers’ own C2 server to host malicious code, which may be flagged as a malicious domain, attackers hack into (using vulnerabilities or any other means at their disposal) a vulnerable, legitimate site, such as a small or medium-sized retail website, and stash their code within it,” Akamai’s researchers said in a blog post.
“In essence, this campaign creates two sets of victims.”
In the next stage of the attack, rather than simply injecting code into the target e-commerce site, this campaign targets its victims with a small piece of inline JavaScript code, which in turn downloads the full malicious payload.
While the researchers are uncertain how the JavaScript code is first deployed, it is likely that this, too, is based on exploiting a known vulnerability on the target site. As well as Magento-based sites, other platforms are also being targeted, including WooCommerce, WordPress, and Shopify.
“Once the loader is injected, any user who attempts to check out from the web skimming victim website will have their personal details and credit card information stolen and sent out to the attackers’ C2 server,” Akamai said.
Akamai’s researchers believe the campaign has been going for at least a month before it was discovered. Retailers from all over the world have been targeted, including here in Australia as well as in the United States, the United Kingdom, Estonia, Brazil, Spain, and Peru.
The structure of the campaign makes it very difficult to detect and counter. The threat actors behind skimming campaigns are known to constantly iterate their tactics to evade analysis.
“We can expect to encounter similar campaigns intermittently, as this cat-and-mouse game is likely to persist,” Akamai concluded.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.