[BreachExchange] Magecart Group Compromises Plugin Used in Thousands of Stores, Makes Rookie Mistake

Destry Winant destry at riskbasedsecurity.com
Tue Oct 9 20:36:13 EDT 2018


A group behind recent Magecart campaigns made a mistake that could
have cost thousands of web stores the payment card data of their
customers when they checked out.

The cybercriminals managed to compromise the popular Shopper Approved
plugin used by online merchants to collect customer reviews and
ratings. The plugin helps increase visibility by displaying the
reviews in strategic locations through advertising networks from
Google or Microsoft.

Security researchers from digital risk management company RiskIQ
received an alert on September 15 from their systems for positive
identification of the Magecart skimming code in the certificate.js
script of the Shopper Approved seal code.

The investigation revealed that the attackers injected the code
without applying any obfuscation, which made it easy to detect and
identify. Aware of the mistake, they returned about 15 minutes later
and modified the skimmer to hide it.

This blunder, although minor, was enough to let researchers view the
clean code without having to resort to deobfuscation techniques.

Of note is the drop server set up by the attackers to receive the
payment card data, which is the same used in the Feedify hack, a month

RiskIQ used several channels of communication to alert Shopper
Approved of the compromise and help them mitigate the issue. Two days
later, the skimmer code was removed from the store review widget. An
investigation was also started to learn the source of the compromise.

“While Shopper Approved is active on thousands of websites, only a
small fraction of their clients were impacted,” RiskIQ says in a
report shared with BleepingComputer in advance.

Shopper Approved identified clients that loaded the compromised script
and contacted them to help remediate the issues.

At least seven groups associated with Magecart campaigns

Magecart is the term used for multiple groups that either compromise
shopping websites directly or go further up the stream and infect
plugins used by a large number of online stores, in an attempt to
score big.

At the moment, RiskIQ distinguishes between seven groups, some of them
responsible for the Ticketmaster, British Airways, Feedify, and Newegg

The recommendation from the experts is to remove third-party code from
checkout pages. Many payment service providers have already adopted
this practice, RiskIQ informs.

The Magecart threat is unlikely to disappear any time soon. In fact, a
sharp increase in the number of attacks has been spotted in September
by multiple security outfits.

More information about the BreachExchange mailing list