Magecart Attacks on the Rise

Magento is an open source ecommerce platform that offers flexible solutions, is a vibrant extension marketplace, and has an open global ecosystem.  Magento is based off of the Zend Framework and PHP.  Magento is considered to be the leading platform within the ecommerce market.  In less than 10 years, Magento has had massive success rolling out its solutions to small at home/startup business to multinational conglomerates.  Magento's popularity is similar to that of other popular open-source CMS frameworks such as Drupal, Joomla, and WordPress, although with a specific focus on ecommerce.  Over the course of several months, it was reported that Ticketmaster, British Airways, and most recently, Feedify (a customer-retention tool), Newegg (ecommerce), and Steinmart (clothing retailer) have been affected by attackers known as Magecart.

It is surmised that the attackers behind Magecart have used a combination of either known Magento vulnerabilities or vulnerabilities in server-side software that the victims are using.  The attacks often require write access to the server hosting the Magento payment scripts, and simply as in the last British Airways attack, 22 lines of code were injected into existing pages that exfiltrated data to websites that looked to be related to the victims (e.g., baways.com), which were not owned by British Airways but by the attacker.  In the Feedify instance[1], the URL appeared to be a third-party or stats-collecting URL [hxxps://info-stat[.]ws/js/slider.js], hence thwarting any alerts of network administrators.  Researchers highly recommend that online shoppers use credit cards and not debit cards for their protection.

Signatures: JS/MagentoSkimmer.B!tr

Indicator(s):

magentocore[.]net
adaptivecss[.]org
baways[.]com
neweggstats[.]com
magento[.]name
info-stat[.]ws

For questions, comments or assistance regarding this report, please contact Wapack Labs at 603-606-1246, or feedback@wapacklabs.com

[1] https://www.zdnet.com/article/feedify-becomes-latest-victim-of-the-magecart-malware-campaign/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!