In a recent Magecart credit card theft campaign, legitimate websites are taken over and used as "makeshift" command and control (C2) servers to inject and conceal skimmers on selected eCommerce sites.
An online store breached by hackers to insert malicious scripts that steal customers' credit cards and personal information while they are checking out is known as a "Magecart attack."
The United States, the United Kingdom, Australia, Brazil, Peru, and Estonian organisations have all been penetrated, according to Akamai researchers following this campaign.
A further indication of the stealthiness of these attacks, according to the cybersecurity firm, is the fact that many victims haven't been aware they've been compromised for more than a month.
Exploiting legitimate sites
The initial step taken by the attackers is to find trustworthy websites that are vulnerable and hack them to host their malicious code and function as C2 servers for their attacks.
Threat actors avoid detection and blockades and are spared from having to build up their own infrastructure by disseminating credit card skimmers through reputable, legal websites.
The next step taken by the attackers is to insert a short JavaScript snippet into the target e-commerce websites that retrieves the malicious code from the previously compromised websites.
"Although it is unclear how these sites are being breached, based on our recent research from similar, previous campaigns, the attackers will usually look for vulnerabilities in the targeted websites' digital commerce platform (such as Magento, WooCommerce, WordPress, Shopify, etc.) or in vulnerable third-party services used by the website," researchers explained in the report.
To enhance the attack's stealthiness, the threat actors developed the skimmer's structure to mimic that of Google Tag Manager or Facebook Pixel, which are well-known third-party services that are unlikely to draw attention. Base64 encoding also hides the host's URL.
Data theft details
Akamai claims to have observed two different skimmer iterations being used in the specific campaign.
A number of CSS selectors that target consumer PII and credit card information are included in the initial version, which is highly obscured. For each site that was targeted, a different set of CSS selectors was created specifically for that victim.
The second skimmer variant's lack of security allowed indicators in the code to be exposed, which allowed Akamai to map the campaign's distribution and identify more victims.
The data is sent to the attacker's server via an HTTP request formed as an IMG tag inside the skimmer after the skimmers steal the customers' personal information. The data also has a layer of Base64 encoding to obscure the transmission and lessen the chance that the victim will notice the breach.
By safeguarding website admin accounts effectively and updating their CMS and plugins, website owners may fend off Magecart invasions.
By adopting electronic payment methods, virtual cards, or restricting how much can be charged to their credit cards, customers of online stores can reduce the danger of data exposure.
