Gangs using malicious JavaScript code to steal payment info target multiple online shopping platforms used by thousands of small stores; more advanced ones rely on tactics to remain undetected for a longer period.
Generically known as Magecart because the Magento payment platform is a frequent target, the web skimming scripts are injected on checkout pages and collect credit and debit card details when customers pay for an order.
Attackers typically make their way in by exploiting known vulnerabilities in these platforms, whose outdated versions often run on smaller stores. They often set sight on plugins that load on the checkout page.
Magecart gang attacks OpenCart websites
In a report today, RiskIQ researcher Yonathan Klijnsma details a large-scale operation Magecart Group 12 led against OpenCart online stores. It used stealth tactics to keep its activity under the radar and pilfer as much payment info as possible.
According to RiskIQ telemetry data, OpenCart is in the top three most frequent shopping platforms worldwide, powering thousands of online stores, both large and small. It is surpassed only by Shopify and Magento.
"With the ubiquity of these platforms (especially with self-hosted solutions) it’s often exposed to vulnerabilities that make it a prime target for skimming attacks," says Klijnsma.
Magecart Group 12 is among the more advanced in the bunch, known for compromising the script from online advertiser Adverline, which carried the malicious code to every website that loaded the French advertiser's script.
Klijnsma says that Magecart Group 12 sees a target in anything providing e-commerce services, breaching thousands of websites that ran versions of Magento, OpenCart, and OSCommerce.
In a recent attack, the threat actor aimed at OpenCart sites, injecting their skimmer only after checking if the visitor accessed a checkout page. To do this, they added pre-filter JavaScript code.
The actor used a domain name that impersonated the script for Microsoft's Bing.com search engine:
real URL: "https://bat[.]bing[.]com/bat.js"
attacker's domain: "https://batbing[.]com/js/bat.min.js"
The domain used by the attacker is no longer active as RiskIQ together with AbuseCH and the Shadowserver Foundation took it offline.
Administrators of compromised OpenCart websites noticed the malicious JavaScript and took it to the platform's forum to find out how the attacker managed to plant it.
A recent report from Group-IB gives three methods of intrusion. One way is to exploit vulnerabilities in unpatched online store platforms.
Another is to steal the login credentials for the admin panel via brute-force attacks or phishing. The third method is to compromise an external resource that is loaded on the victim website.
Klijnsma is certain that new types of web skimming attacks will emerge in the future and that the focus may extend beyond payment data. The researcher says that RiskIQ already sees "moves to skim login credentials and other sensitive information."
Comments
darylzero - 2 years ago
Is there a website that will scan my website for free and let me know of vulnerabilities?