[BreachExchange] MagentoCore Card Skimmer Found on Mass Numbers of E-Commerce Sites

Destry Winant destry at riskbasedsecurity.com
Mon Sep 3 08:05:19 EDT 2018


https://threatpost.com/magentocore-card-skimmer-found-on-mass-numbers-of-e-commerce-sites/137117/

The Magecart group is likely behind the most prolific card-stealing
operation seen in the wild to date.

A whopping 7,339 (and counting) individual e-commerce sites have been
infested with the MagentoCore.net payment-card skimmer in the last six
months, making the malicious script one of the most successful
credit-card threats out there. The infections are part of a single
effort, all tied back to one well-resourced group with global reach.

“Online skimming – your identity and card are stolen while you shop –
has been around for a few years, but no campaign has been so prolific
as the MagentoCore.net skimmer,” said independent malware hunter
Willem de Groot, in a posting Thursday on the prolific nature of the
script. “The group has turned [thousands] of individual stores into
zombie money machines, to the benefit of their illustrious masters.”

As for who those illustrious masters are, de Groot told Threatpost via
email that he suspects the Magecart group to be behind it – which is
the same outfit that pulled off the Ticketmaster heistearlier in the
year. However, attribution beyond the basics remains murky.

“Their collection server is registered in Moscow, but I couldn’t say
anything about their location or nationality, unfortunately,” he told
us.

The campaign is global, he said, and ongoing: According to de Groot’s
nightly scans, new stores are being hijacked at the alarming pace of
50 to 60 stores per day.

Further, the script appears to be rather persistent: The average
recovery time is “a few weeks” he said, with at least 1,450 e-commerce
sites hosting the MagentoCore.net parasite during the full six months
of his analysis.

“The victim list contains multimillion dollar, publicly traded
companies, which suggests the malware operators make a handsome
profit,” he said in the posting. “But the real victims are eventually
the customers, who have their cards and identities stolen.”

The Magecart actors are targeting online stores running WooCommerce
from WordPress and Magento software, he told Threatpost, and “the
attack vector is, in almost all recent cases, brute-forcing the
administrator password.” He said the adversaries are patient,
automatically trying millions of common passwords until they find one
that works, often over the course of a few months.

Attackers can also gain unauthorized access from a staff computer
that’s infected with malware, or by hijacking an authorized session
using a vulnerability in the content management system (CMS).

As for the code itself, the skimmer has been around since last
December, although less sophisticated versions were found as early as
2015, de Groot told Threatpost. Once the actors succeed in gaining
access to the back-end CMS running the website, they embed the
MagentoCore.net Javascript code into the HTML template. This can be
hidden in a few places, including in default HTML headers and footers,
and in minimized, static, hidden Javascript files deep in the
codebase. It also adds a backdoor to cron.php.

“That will periodically download malicious code, and, after running,
delete itself, so no traces are left,” de Groot said.

Once installed, it sets about recording the keystrokes of unsuspecting
online shoppers, sending everything in real-time to the malware’s
Muscovite server, registered in Moscow. MageCart has been seen
recruiting U.S. money mules to monetize the stolen card information;
and de Groot said they can also sell them on the black market for $5
to $30 per card.

E-commerce site owners should be actively auditing their CMS, given
the virulent nature of the campaign.

“My advice to shop owners is to periodically check for unauthorized
code in headers, footers and database fields,” de Groot told
Threatpost. “Once found, a thorough investigation should be conducted,
because hackers usually sprinkle their hijacked systems with
backdoors. Version control [i.e., reverting to a certified safe copy
of the codebase] and a good malware scanner are very useful.”


More information about the BreachExchange mailing list