Search This Blog

Newly Detected Magecart Infrastructure Discloses the Scale of Ongoing Campaign

WordPress websites accounted for 61% of known credit card skimming malware detections during the first five months of 2022, followed by Magento.


A recently discovered Magecart skimming campaign has its origins in an earlier attack activity dating back to November 2021. 

To that end, Malwarebytes revealed in a Tuesday investigation that two malware domains identified as hosting credit card skimmer code — "scanalytic[.]org" and "js.staticounter[.]net" — are part of a larger infrastructure used to carry out the attacks. 

Jérôme Segura stated, "We were able to connect these two domains with a previous campaign from November 2021 which was the first instance to our knowledge of a skimmer checking for the use of virtual machines. However, both of them are now devoid of VM detection code. It's unclear why the threat actors removed it, unless perhaps it caused more issues than benefits." 

Based on the other domains discovered, the earliest indication of campaign activity has been around since May 2020. Magecart is a cybercrime syndicate made up of dozens of subgroups that specialise in hacks involving digital credit card fraud through the injection of JavaScript code into e-commerce shops, often on checkout pages. 

Operatives obtain access to websites either directly or through third-party firms that provide software to the targeted websites. While the attacks first received attention in 2015 for targeting the Magento e-commerce platform (the term Magecart is a combination of "Magento" and "shopping cart"), they have now spread to other platforms, including a WordPress plugin called WooCommerce. 

According to a Sucuri study published in April 2022, WordPress has surpassed Magento as the leading CMS platform for credit card skimming malware, exceeding Magento as of July 2021, with skimmers hidden in websites as false photos and seemingly harmless JavaScript theme files. 

Furthermore, during the first five months of 2022, WordPress websites accounted for 61 per cent of known credit card skimmer malware detections, followed by Magento (15.6 per cent), OpenCart (5.5 per cent), and others (17.7 per cent). 

"Attackers follow the money, so it was only a matter of time before they shifted their focus toward the most popular e-commerce platform on the web," Sucuri's Ben Martin stated at the time.
Share it:


Cyber Activity