Magecart, an umbrella of several groups that target e-commerce websites, was found in action again. Recently, one of the groups has heavily targeted Magento e-commerce websites to steal credit card details. The attackers have used six different types of Magento credit card swipers for these attacks.

What has happened?

The recent attack on the e-commerce website was successful against victims using an old version of Magento. The impacted Magento version was nearly seven years old and missing several security patches.
  • One of the tactics some Magecart actors used was to dump swiped credit card details into image files on a server to avoid suspicion. These can be downloaded later with a simple GET request.
  • There were two image files saved onto the server storing chunks of base64 encoded data. This encoded data has credit card CVV numbers and other info when decoded in plain text.

Additional insights

Analyzing one of the image files revealed that the attackers added some additional comment chunks for obfuscation. 
  • The attacker used the eval base_64decode function for additional obfuscation. This part of the code has randomly named variables saved.
  • Another image file presented onto the server has the same patterns used in the first image file and the same encoding types; however, with slightly different content and bogus CSS files.

Conclusion

Magecart is one of the most active and prominent threat actor groups targeting e-commerce websites. The group always comes up with new tactics, such as using bulletproof hosting services, and various kinds of web skimmers, such as malicious PHP webshells, to target its victims. Thus, it is very significant to stay updated and regularly apply security patches to CMS.

Cyware Publisher

Publisher

Cyware