Magecart attacks were discovered five years ago and despite that, they are still very effective. Many users of e-commerce sites still pay the price today. So what does the term Magecard mean and what are the risks for us consumers?
A Magecart attack is a modus operandi that involves inserting malicious scripts to steal customer data from online shopping sites. And we’re not talking about just any data here. Credit cards and consumer personal information are directly affected. These attacks take place during the payment process, and this, through completely legitimate sites. This is what makes this new campaign of credit card theft particularly worrying. The sites concerned are used as command and control servers. This gives hackers plenty of time to circumvent detection and blocking measures by avoiding the need to set up their own infrastructure. These attacks are becoming more frequent and pose a serious threat to the security of online transactions. A new campaign of credit card thefts through this method has recently been discovered.
The infection of legitimate sites by masked skimmers
Skimmers, or data collectors, are specialized programs. They first target vulnerable legitimate sites and compromise them to host their code. They use these sites as a control base to make their attacks undetectable. Today, the hacking method used is unclear. However, hackers are highly likely to exploit vulnerabilities in popular digital commerce platforms: Magento, WooCommerce, WordPress or Shopify.
To avoid detection, attackers hide skimmers by encoding them with a Base64 encoding technique. In hacking, Base64 encoding can be used to obfuscate sensitive data or malicious code elements. This conceals these elements or login information, making them less apparent and more difficult to spot by the security measures in place. This encoding also hides the host URL. The structure of these skimmers is further designed to resemble that of Google Tag Manager or Facebook Pixel, two popular third-party services that do not raise suspicion. Rather clever and very disturbing.
Information theft and data transmission
Once the sites are compromised, the attackers inject a small snippet of JavaScript code into the targeted e-commerce platforms. Then, nothing could be simpler for hackers: they use these skimmers to steal customer information. This data is then transmitted to the attackers’ servers using an HTTP request created as an IMG tag embedded in the skimmer. The American company Akamai now recognizes two types of skimmers. The first is a heavily obfuscated version containing custom CSS selectors for each targeted site, targeting customers’ personal information. The second variant is less well protected. Akamai was able to accurately map the hacking campaign and more easily identify victims.
Magecart attacks still pose a significant threat today. By allowing legitimate websites to be compromised, they give hackers the opportunity to steal very sensitive information. Website owners can protect themselves against these attacks by securing their administration accounts and by regularly updating their CMS. Boutique customers can reduce risk by using secure payment methods and setting a spending limit on their credit cards. Vigilance in the face of this resurgence of attacks remains essential as their evolution is rapid.
Sources: zdnet, bleepingcomputer, akamai
18