[BreachExchange] 1 in 5 merchants compromised by Magecart get reinfected

[Destry Winant]

https://www.helpnetsecurity.com/2018/11/13/magecart-reinfected/

The Magecart threat looms large for online retailers and their
customers, as the criminal groups that have been assigned this
collective name are constantly trying out new tricks for stealthily
compromising the shops and achieving persistence.

According to security researcher Willem de Groot, the Magecart
attackers have become so adept at the latter that many online
merchants end up having to clean their shops many times.

“In the last quarter, 1 out of 5 breached stores were infected (and
cleaned) multiple times, some even up to 18 times. This shows that
counter measures taken by merchants and their contracted security
firms often fail,” he pointed out.

Changing tactics and expanding methodologies

De Groot has been tracking this and other similar threats affecting
online shops for years now, and puts Magecart operatives’ success down
to a number of tactics.

“Magecart operatives are getting more sophisticated in hiding their
presence and ensuring future access. Once an operative gains access to
a merchant’s server, it is common to litter the site with backdoors
and rogue admin account,” he explains.

They also use reinfection mechanisms such as database triggers and
hidden periodic tasks to reinstate their payload, obfuscation
techniques to hide their malicious code, and have begun using zero-day
vulnerabilities and exploits to gain a foothold on target sites.

Add to this their penchant for hitting many targets at once by
compromising third parties that provide them with certain services,
and it’s no wonder that the targets are having trouble keeping
Magecart groups at bay.

Preventing reinfections

Among the public examples of stores battling with Magecart
reinfections are Kitronik and Zapals.

And it’s not just the online shoppers: customer engagement service
Feedify, which has been compromised by Magecart to get to hundreds of
e-commerce sites, initially found it challenging to boot them from
their digital premises.

On average, it takes online merchants nearly 13 days to discover and
remove the skimming scripts injected by Magecart. Reinfections
typically occur within 11 days.

Another thing that’s good to keep in mind is that the attackers are
particularly active during weekends.

While it may be difficult to prevent Magecart from compromising your
online shop, detection of injected scripts or any other malicious code
change can be made easier and quicker by using automated tools or
services designed specially for this.