Magecart campaign – Hackers target eCommerce sites with web-based keylogger injection attacks

Researchers have been monitoring a campaign dubbed Magecart that compromised many ecommerce websites to steal payment card and other sensitive data.

Researchers have been monitoring a campaign in which cybercriminals compromised many e-commerce websites in an effort to steal payment card and other sensitive information provided by their customers.

Security experts from cloud-based security solutions provider RiskIQ have been monitoring a hacking campaign, dubbed Magecart, in which crooks hacked many e-commerce websites in an effort to steal payment card and other sensitive customer data.

The peculiarity of the Magecart campaign is that threat actors were injecting a keylogger directly into the target website.

As explained in the analysis, web-based keylogger injection attacks are still little-known, even though they’ve been occurring for a long time.

“Most methods used by attackers to target consumers are commonplace, such as phishing and the use of malware to target payment cards. Others, such as POS (point of sale) malware, tend to be rarer and isolated to certain industries. However, some methods are downright obscure—Magecart, a recently observed instance of threat actors injecting a keylogger directly into a website, is one of these.” reads the analysis published by RiskIQ.

The Magecart campaign was first spotted in March 2016, but it is likely it was started before and it is still active today.

Researchers observed a peak in the Magecart campaign in June, in conjunction with the adoption of an Eastern European bulletproof hosting service.

The attackers targeted several e-commerce platforms including Magento, Powerfront CMS and OpenCart. The researcher documented attacks against several payment processing services, including Braintree and VeriSign.

Experts at RiskIQ have identified more than 100 online shops compromised as part of the Magecart campaign, including e-commerce platforms of popular book publishers, fashion companies, and sporting equipment manufacturers. The cybercrooks even attacked the gift shop of a UK-based cancer research organization.

The attackers inject a JavaScript code directly in the websites to capture data entered by users, the researchers highlighted also the ability of the malicious code to add bogus form fields to the compromised website in an effort to collect more information from the victims.

“Formgrabber/credit card stealer content is hosted on remote attacker-operated sites, served over HTTPS. Stolen data is also exfiltrated to these sites using HTTPS.” states the analysis.

Once data is captured by the web-keylogger it is sent to the C&C server over HTTPS.

The web-keylogger is loaded from an external source instead of injecting it directly into the compromised website, simplifying the malware maintenance.

The researchers observed a continuous improvement of the threat over time as detailed by RiskIQ:

• Testing and capabilities development
• Increased scope of targeting payment platforms
• Development and testing of enhancements
• Addition of obfuscation to hinder analysis and identification
• Attempts to hide behind brands of commonplace web technologies to blend in on compromised sites

For further information of the Magecart campaign give a look at the datailed report.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Magecart, e-commerce)