[BreachExchange] Magecart malware merrily sipped card details, evaded security scans on UK e-tailer Páramo for almost 8 months

Destry Winant destry at riskbasedsecurity.com
Wed May 20 10:31:46 EDT 2020


https://www.theregister.co.uk/2020/05/19/paramo_hack_magecart/

A card-skimming Magecart malware infection lingered on a British
outdoor clothing retailer's website without detection for nearly eight
months despite regular security scans.

London-based Páramo told customers last week that it had discovered a
"small piece of computer code covertly installed within our website".

The warning continued: "This code copied card details entered,
destined for PayPal and additionally sent them on to the attacker's
server. The data transferred was name, address, card number and CVV
code."

The Register confirmed with Páramo that 3,743 people's full card
details – including all data points necessary to make online purchases
elsewhere – had been stolen between July 2019 and March this year. In
its message to customers the retailer said:

This is despite the fact that Páramo employ Security Metrics, an
approved security scanning vendor, to conduct quarterly vulnerability
scans on our websites for PCI DSS purposes. The coding remained
undiscovered due to its sophisticated nature.

Security Metrics did not respond to The Register's questions.

Páramo's IT director, Jason Martin, told The Register the firm first
learnt something was wrong when PayPal, its chosen payments processor,
alerted them that 18 customers reported being victims of fraud after
making purchases from Páramo. Upon examining the site for any clues,
Martin's team discovered all was not as it should have been.

"Specifically, in our case," Martin explained, "the hackers' method
used a PHP file which modified out IFRAME src so that it still loaded
the PayPal code, but also loaded an external JavaScript file." The JS
file, named gcore.js, was externally hosted on an unremarkable
third-party URL.

El Reg passed the malicious JS file to a security researcher who asked
not to be named. They told us the file was part of the infamous
Magecart card skimmer malware and had been observed in the wild since
summer 2019, fitting the Páramo hack.

We also asked Cisco Talos to take a look at the malware sample for
confirmation. A company spokesman agreed that it looked like Magecart
and told us: "Criminals often seek unpatched web systems, or use
compromised credentials, in order to take control of a system and
subtly introduce malicious functionality that will execute in the
browser. In this way, malware such as Magecart is able to capture
personal data as web visitors enter it in their browser, exfiltrating
it to the criminals without the stolen information necessarily
touching the originally compromised system."

Supply chain attacks, where malicious persons target those third-party
sources, have long been a thorn in the side of the ecommerce world.

While the Páramo hack is relatively small fry for a jaded
cybersecurity industry that barely notices such compromises unless
millions of people's data is stolen, many reading this will probably
wipe their foreheads and mutter "there but for the grace of the gods".

A couple of years ago Magecart was the attack method that stole
380,000 peoples' card details from British Airways, while the malware
continues to evolve as researchers desperately try to halt its spread.


More information about the BreachExchange mailing list