Credit cards

A new Magecart credit card stealing campaign hijacks legitimate sites to act as "makeshift" command and control (C2) servers to inject and hide the skimmers on targeted eCommerce sites.

A Magecart attack is when hackers breach online stores to inject malicious scripts that steal customers' credit cards and personal information during checkout.

According to Akamai's researchers monitoring this campaign, it has compromised organizations in the United States, the United Kingdom, Australia, Brazil, Peru, and Estonia.

The cybersecurity firm also points out that many of the victims have not realized they were breached for over a month, which is a testament to the stealthiness of these attacks.

Abusing legitimate sites

The attackers' first step is to identify vulnerable legitimate sites and hack them to host their malicious code, using them as C2 servers for their attacks.

By distributing the credit card skimmers using legitimate websites with a good reputation, the threat actors evade detection and blocks and are freed from needing to set up their own infrastructure.

Next, the attackers move to inject a small JavaScript snippet into the target commerce sites that fetches the malicious code from the websites compromised previously.

"Although it is unclear how these sites are being breached, based on our recent research from similar, previous campaigns, the attackers will usually look for vulnerabilities in the targeted websites' digital commerce platform (such as Magento, WooCommerce, WordPress, Shopify, etc.) or in vulnerable third-party services used by the website," explains Akamai in the report.

To add to the attack's stealthiness, the threat actors have obfuscated the skimmer with Base64 encoding, which also hides the host's URL, and built its structure in a way that resembles that of Google Tag Manager or Facebook Pixel, which are popular third-party services unlikely to raise suspicion.

Obfuscated URL in the code snippet
Obfuscated URL of host site in the code snippet (Akamai)

Data theft details

Akamai reports seeing two variants of the skimmer used in the particular campaign.

The first is a heavily obfuscated version containing a list of CSS selectors that target customer PII and credit card details. The CSS selectors were different for each targeted site, custom-made to match each victim.

The heavily obfuscated first skimmer variant
The heavily obfuscated first skimmer variant (Akamai)

The second skimmer variant was not as well protected, exposing indicators in the code that helped Akamai map the campaign's reach and identify additional victims.

After the skimmers steal the customers' details, the data is set to the attacker's server via an HTTP request created as an IMG tag within the skimmer.

Stolen data exfiltration
Stolen data exfiltration using IMG tag (Akamai)

A layer of Base64 encoding is applied to the data to obfuscate the transmission and minimize the likelihood of the victim discovering the breach.

Website owners can defend against Magecart infections by appropriately protecting website admin accounts and applying security updates for their CMS and plugins.

Customers of online shops can minimize the risk of data exposure by using electronic payment methods, virtual cards, or setting charge limits to their credit cards.

Related Articles:

Evasive Sign1 malware campaign infects 39,000 WordPress sites

American Express credit cards exposed in third-party data breach

Joomla fixes XSS flaws that could expose sites to RCE attacks

Hackers steal data of 2 million in SQL injection, XSS attacks