Skip to main content

Magecart Hackers Inject iFrame Skimmers in 19 Sites to Steal Payment Data

magecart website hacking

Cybersecurity researchers today uncovered an ongoing new Magecart skimmer campaign that so far has successfully compromised at least 19 different e-commerce websites to steal payment card details of their customers.

According to a report published today and shared with The Hacker News, RiskIQ researchers spotted a new digital skimmer, dubbed "MakeFrame," that injects HTML iframes into web-pages to phish payment data.

MakeFrame attacks have been attributed to Magecart Group 7 for its approach of using the compromised sites to host the skimming code, load the skimmer on other compromised websites, and siphoned off the stolen data.

Magecart attacks usually involve bad actors compromising a company's online store to siphon credit card numbers and account details of users who're making purchases on the infected site by placing malicious JavaScript skimmers on payment forms.

It's the latest in a series of attacks by Magecart, an umbrella term for eight different hacking groups, all of which are focused on stealing credit card numbers for financial gain.

Hackers associated with Magecart tactics have hit many high profile websites in the past few years, including NutriBulletOlympics ticket reselling websites, Macy's, TicketmasterBritish Airways, consumer electronics giant Newegg, and many other e-commerce platforms.

RiskIQ had said it took just 22 lines of JavaScript code infection for the attackers to gain real-time access to the sensitive data in question.

Using Obfuscation to Avoid Detection


The new MakeFrame Skimmer code, a blob of the hex-encoded array of strings and obfuscated code, is included between benign code to escape detection, RiskIQ researchers said.

But in a twist, the code is impossible to be deobfuscated due to a check (_0x5cc230['removeCookie']) that ensures it is not altered. When this check passes, the skimmer code is reconstructed by decoding the obfuscated strings.

magecart cyber attack

Once the skimmer is added on the victim site, MakeFrame also has provisions to emulate the payment method, use iframes to create a payment form, detect the data entered into the fake payment form upon pressing of the "submit" button, and exfiltrate the card information in the form '.php' files to another compromised domain (piscinasecologicas dot com).

"This method of exfiltration is the same as that used by Magecart Group 7, sending stolen data as .php files to other compromised sites for exfiltration," RiskIQ said.

"Each compromised site used for data exfil has also been injected with a skimmer and has been used to host skimming code loaded on other victim sites as well."

magecart JS skimmer

Stating that three distinct versions of this skimmer with varying levels of obfuscation have been identified, RiskIQ said each of the affected websites is a small or medium-sized business.

Increasing prevalence of Magecart attacks


Although spotted in the wild since 2010, this kind of intrusion — dubbed Magecart attack because of the threat actors' initial preference for Magento e-commerce platform to gather illicit card data — has intensified over the last few years.

"Magecart is a rapidly growing cybercrime syndicate comprised of dozens of subgroups that specialize in cyberattacks involving digital credit card theft," RiskIQ previously noted in its report on the Magecart actors.

In addition, the actors behind these compromises have automated the process of compromising websites with skimmers by actively scanning for misconfigured Amazon S3 buckets.

The recent wave of e-skimming attacks has grown so widespread — affecting over 18,000 domains — that it led the FBI to issue a warning about the emerging cyber threat and urging businesses to erect sufficient security barriers to protect themselves.

The intelligence agency, in an advisory posted last month, recommended that companies keep their software up-to-date, enable multi-factor authentication, segregate critical network infrastructure, and watch out for phishing attacks.

"This latest skimmer from Group 7 is an illustration of their continued evolution, honing tried and true techniques and developing new ones all the time," RiskIQ concluded.

"They are not alone in their endeavors to improve, persist, and expand their reach. RiskIQ data shows Magecart attacks have grown 20 percent amid the COVID-19 pandemic. With many homebound people forced to purchase what they need online, the digital skimming threat to e-commerce is as pronounced as ever."

Source : The Hacker News

Comments

Popular posts from this blog

10 Best Forum Software For Webmasters

10 Best Forum Software For Webmasters Do you want to create your online discussion forum or online community where people can discuss about their favorite topics? In this article, you can see 10 best forum software (scripts for setting up discussion forums) that can be used free of cost. Although some scripts are paid but rest of these forum scripts are free to use.You only need to buy hosting space and domain name for your website and after then you can install any of these forum scripts to start your own discussion forums on the internet. Online discussion forums generate huge page views because thousands of people want to join online discussion forums to ask questions or share knowledge. Some of online marketers join forums to discuss about their products with community members. You don't need to acquire any kind of technical skill to run a professional discussion forums because these days, almost all web hosting providers offer one click script installer which h...

|Bypass Symlink on 2013 Server With Different .htaccess and Methods by Sen Haxor |

Hi, Guys,  Please a wonderfull tutorial provided bt Sem;\  Today I gonna Explain how to bypass Symlink on 2013 Server With Different .htaccess and Methods. So let's Get Started :) Note: This method is not applicable for Godaddy, Bluehost, Hostgator and Hostmonstor Servers. For This First You Need the Following Files : 1 -> Sen Haxor CGI Shell 2 -> sen.zip 3 -> passwd-bypass.php 4 -> Turbo Brute force Cpanel 5 - > Port.py First Before Starting to symlink we need to create php.ini and ini.php to Disable Safe mode and Disabled Functions on the server . Use the Following Code : Make a php.ini with the following code safe_mode=Off And ini.php with <? echo ini_get("safe_mode"); echo ini_get("open_basedir"); include($_GET["file"]); ini_restore("safe_mode"); ini_restore("open_basedir"); echo ini_get("safe_mode"); echo...

How to Hack WhatsApp using just a GIF

A picture is worth a thousand words, but a GIF is worth a thousand pictures. Today, the short looping clips, GIFs are everywhere—on your social media, on your message boards, on your chats, helping users perfectly express their emotions, making people laugh, and reliving a highlight. But what if an innocent-looking GIF greeting with Good morning, Happy Birthday, or Merry Christmas message hacks your smartphone? Well, not a theoretical idea anymore. WhatsApp has recently patched a critical security vulnerability in its app for Android, which remained unpatched for at least 3 months after being discovered, and if exploited, could have allowed remote hackers to compromise Android devices and potentially steal files and chat messages. WhatsApp Remote Code Execution Vulnerability The vulnerability, tracked as  CVE-2019-11932 , is a double-free memory corruption bug that doesn't actually reside in the WhatsApp code itself, but in an open-source GIF image parsing library that What...