A group behind recent Magecart campaigns made a mistake that could have cost thousands of web stores the payment card data of their customers when they checked out.

The cybercriminals managed to compromise the popular Shopper Approved plugin used by online merchants to collect customer reviews and ratings. The plugin helps increase visibility by displaying the reviews in strategic locations through advertising networks from Google or Microsoft.

Security researchers from digital risk management company RiskIQ received an alert on September 15 from their systems for positive identification of the Magecart skimming code in the certificate.js script of the Shopper Approved seal code.

The investigation revealed that the attackers injected the code without applying any obfuscation, which made it easy to detect and identify. Aware of the mistake, they returned about 15 minutes later and modified the skimmer to hide it.

Deobfuscated Magecart card-skimming script

This blunder, although minor, was enough to let researchers view the clean code without having to resort to deobfuscation techniques.

Obfuscated code, 15 minutes later

Of note is the drop server set up by the attackers to receive the payment card data, which is the same used in the Feedify hack, a month ago.

RiskIQ used several channels of communication to alert Shopper Approved of the compromise and help them mitigate the issue. Two days later, the skimmer code was removed from the store review widget. An investigation was also started to learn the source of the compromise.

“While Shopper Approved is active on thousands of websites, only a small fraction of their clients were impacted,” RiskIQ says in a report shared with BleepingComputer in advance.

Shopper Approved identified clients that loaded the compromised script and contacted them to help remediate the issues.

At least seven groups associated with Magecart campaigns

Magecart is the term used for multiple groups that either compromise shopping websites directly or go further up the stream and infect plugins used by a large number of online stores, in an attempt to score big.

At the moment, RiskIQ distinguishes between seven groups, some of them responsible for the Ticketmaster, British Airways, Feedify, and Newegg breaches.

The recommendation from the experts is to remove third-party code from checkout pages. Many payment service providers have already adopted this practice, RiskIQ informs.

The Magecart threat is unlikely to disappear any time soon. In fact, a sharp increase in the number of attacks has been spotted in September by multiple security outfits.