With the onset of the holiday season, cybercriminals have begun ensnaring online shoppers. Recently, a new batch of Magecart or web-skimming attacks against 44 e-commerce sites was reported, exfiltrating users’ credit card and personal data.
Researchers attributed the campaign to three threat actor groups—tracked as Group X, Group Y, and Group Z—that took advantage of poor hygiene of website security.
Modus Operandi of Group X
The attackers exploited a defunct third-party service called Cockpit to acquire a domain name and used it to serve a skimming script.
By re-registering the defunct domain and configuring it to distribute malicious code, the attackers were able to compromise over 40 e-commerce sites.
Data collected from the compromised sites were encoded, encrypted, and then sent to an exfiltration server based in Russia.
Modus Operandi of Group Y
The skimmer code used by Group Y is very similar to Group X, however, the distribution method is different.
Instead of using a third-party service, the actor injected a Google Analytics lookalike script in the victims’ homepages.
The skimmer script was designed to run only on the checkout pages and harvested all accessible information.
Modus Operandi of Group Z
Group Z uses attack methodologies that are identical to Group X and Group Y, except for some modifications in script and server structure.
The malicious script injected into the sites is disguised as Google Tag Manager, instead of Google Analytics as used by Group Y.
Stealthy Magecart attacks remain a serious threat
Magecart attacks are becoming stealthier than ever as threat actors evolve their obfuscation techniques.
Recently, a JavaScript skimmer loaded with unique anti-detection features was used to hamper the shopping experience of users visiting Magento-based e-commerce sites.
A skimmer code that leveraged virtual machines to evade detection was also used for Magecart attacks.
Conclusion
As Magecart groups continue to evolve their tactics to inject malicious code into e-commerce sites, retailers are required to have a proactive defense approach to protect their customers. This includes real-time and automated monitoring of scripts and immediate patching of vulnerabilities.