Magecart hackers compromise another 80 eCommerce sites

Security experts at Aite Group and Arxan Technologies have discovered that hackers under the Magecart umbrella have compromised 80 more eCommerce sites.

Security experts at Aite Group and Arxan Technologies have discovered that Magecart hackers continue to target online stores to steal credit card data, in recent operations, they have compromised 80 more eCommerce sites.

All of these websites were running an outdated version of Magento which is vulnerable to formjacking and digital card skimming. One out of four of the hacked eCommerce sites were large brands in motorsports and luxury retail.

“New research conducted by advisory firm Aite Group revealed that 100% of the eCommerce  websites examined were not protected — making them easy prey for Magecart attacks. Even more startling is the fact that it took only 2.5 hours of research to uncover the 80 compromised sites.” reads the analysis published by the experts.

Security firms have monitored the activities of a dozen Magecart groups at least since 2015. The gangs use to implant skimming script into compromised online stores in order to steal payment card data on, but they are quite different from each other. 

According to a joint report published by RiskIQ and FlashPoint, some groups are more advanced than others, in particular, the gang tracked as Group 4 appears to be very sophisticated.

The list of victims of Magecart groups is long and includes several major platforms such as British Airways, Newegg, Ticketmaster, MyPillow and Amerisleep, and Feedify. ​​

According to experts, the 80 eCommerce sites were not hacked by a single group of Magecart hackers.

The researchers used a source code search engine to search for obfuscated JavaScript online that matched with malicious patterns previously associated with credit card skimmers used by Magecart. The expert quickly uncovered more than 80 e-commerce websites compromised by Magecart groups.

“To conduct this research, Aite Group used a source code search engine that scoured the web for obfuscated JavaScript that was found in repeating patterns of previously published Magecart breaches on pastebin.com.” reads the report published by the experts.

“What was uncovered in this research is e-commerce websites’ systemic lack of in-app protection to secure their web forms and the failure of endpoint security solutions on the client side to protect consumers against this pervasive threat.”

Many of the sites compromised by Magecart are running version 1.5, 1.7, or 1.9 that are known to be vulnerable to arbitrary file upload, remote code execution, and cross-site request forgery vulnerabilities. These flaws could be exploited by threat actors to inject the formjacking code into the site.

The researchers reported their findings to federal law enforcement and are notifying all affected organizations. Because the investigation is still ongoing, experts have decided not to name the victim sites.

The researchers also focused their analysis on the methods used by Magecart groups to monetize their efforts. Once obtained the credit card data the hackers sell them on the dark web forums, they also purchase merchandise on legitimate online shopping sites and ship them to pre-selected merchandise mules in an attempt to launder the fraudulent transactions.

“The attacker has the purchased items shipped to their merchandise mules. To recruit merchandise mules, the attacker posts jobs that offer people the ability to work from home and earn large sums of money to receive and reship merchandise purchased with the stolen credit card numbers.” continues the report.

“The mules then work with shippers willing to receive under-the-table pay to ship to eastern European addresses, which are in countries on the sanctioned shipping destinations for the Office of Foreign Assets Control (OFAC) regulations. The under-the-table shippers then ship the merchandise to the eastern European destinations, where it is sold to local buyers, which the attacker also profits from as a second line of revenue from the original breach in addition to the sale of the fullz on black market sites.”

Let me suggest to read the report that also includes solutions proposed by the experts to secure the eCommerce sites.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Magecart, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]