Pierluigi Paganini May 02, 2019

Magecart made the headlines again, Magecart Group 12 is conducting a large-scale operation that targets OpenCart online stores.

According to security experts at RiskIQ, the Magecart Group 12 is behind a large-scale operation against OpenCart online stores. The attackers used stealth tactics to remain under the radar and siphon payment data from compromised e-commerce sites.

Security firms have monitored the activities of a dozen Magecart groups at least since 2015. The gangs use to implant skimming script into compromised online stores in order to steal payment card data on, but they are quite different from each other. 

According to a joint report published by RiskIQ and FlashPoint in March, some groups are more advanced than others. The list of victims of Magecart groups is long and includes several major platforms such as British Airways, Newegg, Ticketmaster, and Feedify. ​​

OpenCart is in the most popular e-commerce platforms worldwide that is currently used by thousands of online stores of any size. OpenCart one of the top three e-commerce CMS, after Shopify and Magento, it is normal that crooks attempt to target it too.

Previous attacks carried out by the Magecart Group 12 hit e-commerce services used by thousands of online stores that ran versions of  Magento, OpenCart, and OSCommerce. The attacks against OpenCart-based stores is similar to the Magento ones.

“We’ll also break down a large-scale Magecart Group 12 campaign uncovered by RiskIQ researchers abusing the OpenCart platform, which is run by thousands of e-commerce sites.” reads the analysis published by RiskIQ. “Group 12 breached OpenCart sites to inject their skimmer similar to the Magento attacks, starting with the insertion of a very well-picked domain name: batbing[.]com.”

In the latest wave of attacks, Magecart group 12 injected their skimmer into OpenCart websites only after checking if the visitor accessed a checkout page. Technically they added the following pre-filter JavaScript code:

Attackers used a domain name that attempts to impersonate the Bing.com search engine script.

“One other notable element of this attack is the impersonation attempt for the Bing.com search engine script: “

https://batbing[.]com/js/bat.min.js

The normal Bing URL looks very similar:

https://bat[.]bing[.]com/bat.js

RiskIQ with the support of AbuseCH and the Shadowserver Foundation took offline the domain used by the hackers.

Experts found references to the skimmer script in a forum post on the OpenCart forum.

RiskIQ experts believe that new types of web skimming attacks will be observed in the future, hackers will go beyond payment data attempting to steal login credentials and other sensitive information.

“It’s likely that new breeds of these web skimming attacks will emerge in the future, whether by new or existing Magecart groups. They’re currently focusing on payment data, but we’re already seeing moves to skim login credentials and other sensitive information.” concludes RiskIQ. “This widens the scope of potential Magecart victims far beyond e-commerce alone.”

Pierluigi Paganini

(SecurityAffairs – Magecart Group 12, OpenCart)

[adrotate banner=”5″]

[adrotate banner=”13″]