The Magecart group and the evolution of its custom malware and attacks

• The malware has broadened its compatibility across platforms like CMS Powerfront, OpenCart, and Magento.
• Researchers have found evidence that links the malware to the Magecart threat group.

In 2016, a new threat group dubbed Magecart reared its head in cyberspace. The group has been targeting attacks against entities across the globe using its namesake custom malware.

Magecart malware was first detected in March 2016 and has since gained momentum.

Recently, there has been an uptick in the activities of the Magecart malware, which has been targeting several e-commerce platforms to steal personal and financial information.

Modus Operandi

This sophisticated online malware primarily focuses on targeting shopping platforms and works in two simple steps to spread its attack surface. First, the script checks if the user is on the checkout page in order to load the keylogger component that automatically records the keystrokes entered within the information boxes in the payment page.

In the second step, the malware injects the keylogger script in order to capture financial data. The data is redirected to an attacker-controlled remote server.

Recently, the malware has broadened its compatibility across platforms like CMS Power front, OpenCart and Magento. Researchers have found evidence that links the malware to the Magecart threat group. The group is known for Formjacking attacks, which involve inserting malicious JavaScript code into e-commerce sites to harvest customers’ credit card details.

Top attacks

• The malware picked up its pace in May 2016 and was found to have infected over 100 online stores. The malware targeted the Magento stores that used the Braintree Magento extension in order to steal log data entered on checkout pages. Later, this was data sent to the attackers’ remote server.
• After being silent for over a year, the malware made a comeback in 2018. Ticketing website Ticketmaster admitted that sensitive data of around 40,000 of its British and international customers were impacted in a serious breach that was carried out using the Magecart malware. The data compromised in the attack included names, email addresses, physical addresses, telephone numbers, Ticketmaster logins and payment card details of customers.
• The Magecart malware was also responsible for compromising the website of British Airways. This resulted in the hacker group accessing the personal and financial data of 565,000 customers. While 380,000 customers were reported to have had their financial detail compromised, another 185,000 customers may have had their reward bookings - made between April 21 and July 28 - stolen.
• Two other online retail shops, Feedify and Newegg, were also the victims of the Magecart malware. The threat group used the malicious script to steal credit card details and other information from both the e-commerce sites.

New Magecart variant

CartThief-3PC is a variant of the Magecart malware, designed to target payment pages on legitimate Magento-hosted retail sites. This malware variant uses a new method to encode or obfuscate the malicious domain and Personally Identifiable Information (PII) data collection activity.

The method helps the malware to avoid suspicion and bypass many blocking technologies. In this way, the malware manages to steal PIIs without the knowledge of users, website owners, and malware scanners.

Persistent threat

The widespread infection of Magecart malware and its variant possess a threat for all retail organizations. Hence, it is very important to follow some best practices for early detection and prevention from malware.

Below are a few measures users can take to stay safe:-

• Monitor for any suspicious changes to JavaScript files that are loaded into payment browsers to collect payment information.
• Validate the security of your network and systems using vulnerability management solutions.
• Implement multi-factor authentication (MFA) for all online accounts including the ones which are related to shopping.