Hackers Inject Magecart Card Skimmer in Forbes’ Subscription Site

Hackers injected the Forbes' subscription website with a Magecart script which collects payment card data customers introduce on the checkout page and exfiltrates it to a server controlled by the attackers.

As revealed by Bad Packets Report's co-founder Troy Mursch, the script collects card numbers, expiration dates, and credit card CVV/CVC verification codes, as well as customers' names, addresses, phone numbers and emails.

While the obfuscated Magecart script can still be found on the forbesmagazine.com website, the domain used by the attackers to collect the stolen payment information has been taken down using Freenom's abuse API which makes it possible to take down malicious domains immediately.

The deobfuscated version of the Magecart script can be found HERE, with the script showing the exact payment data collected by the cybercriminals, as well as the address of the server where the skimmed info was being sent to.

 WARNING @Forbes Magazine subscription website (https://t.co/VqCahQHj9X) is infected with #magecart malware.

Exfil domain: fontsawesome[.]gq (BG) @urlscanio results: https://t.co/Su3ziLZd3w
Deobfuscated code: https://t.co/jb0ULmq0Et pic.twitter.com/zlRGZ5k2hE

— Bad Packets Report (@bad_packets) May 15, 2019

The attackers used the WebSocket protocol to exfiltrate the stolen data, a computer communications protocol which "enables two-way communication between a client running untrusted code in a controlled environment to a remote host that has opted-in to communications from that code," as detailed in IETF's RFC6455 Internet Standards Track document.

Magecart groups have been active since at least 2015 and represent an ever-evolving threat capable of launching attacks against high profile international companies like Ticketmaster, British Airways, OXO, and Newegg, as well as to target small retailers like Amerisleep and MyPillow.

Magecart campaigns are still going strong seeing that security outfit Group-IB found 2,440 compromised websites during early April which had been infected with payment card skimming scripts.

As RiskIQ's head of threat research Yonathan Klijnsma also said, "for every Magecart attack that makes headlines, we detect thousands more that we don’t disclose. A considerable portion of these lesser-known breaches involves third-party payment platforms."

During late-April, Malwarebytes security researcher Jérôme Segura found hundreds of Magento stores injected with skimmer scripts hosted on GitHub repositories, with Magecart groups also managing to infect the online shop of the Atlanta Hawks NBA basketball team as unearthed by Sanguine Security.

CloudCMS and Picreel also under siege

In addition, Willem de Groot also discovered supply chain attacks that compromised and injected web skimmers in scripts used by customers of the Picreel analytics provider and CloudCMS headless content management system.

"Luckily, the fact that the skimmer was isolated to a single file significantly reduced the number of sites exposed—version 1.5.23 only affects 20% of the sites using CloudCMS according to RiskIQ telemetry data," says Klijnsma in an analysis of the two Magecart supply-chain attacks published today.

Since CloudCMS is not that popular, with CloudCMS-hosted scripts being found on only a few hundred websites by RiskIQ, the scale of the attack seems to be limited given that only one-fifth of them would use the compromised script.

In Picreel's case, even though the infected script was discovered on hundreds of websites, it also contained a few errors which would prevent it to run every time, a fact that led to many of the victims impacted in the attack to be spared.

"Credit card-skimming groups like Magecart are gaining efficiency, so it takes less time than ever for consumers to see their data stolen, seemingly out of nowhere. In the end, it doesn’t matter to consumers whether this happens as the result of a traditional breach or a web-based supply chain attack," also says Klijnsma.