Don’t Let the Grinch Steal Christmas: A Timeline of Holiday Season Magecart Activity

Friday, November 30, 2018

The retail, travel and hospitality industries face difficult security challenges year-round, but November through to the end of the year is the time that keeps the security professionals in these industries especially busy. The holiday shopping season is a time for financially motivated actors to attempt their attacks and exploitation. A recent article states that analysts predict sales up to $1.002 trillion during this shopping season in the U.S. alone1. With this in mind, Fidelis Threat Research Team wanted to shine a spotlight on the activities of the most notorious cybercrime gang of 2018, Magecart.

Since 2015, Magecart campaigns have stolen credit card data by compromising large websites or third-party services. Techniques have included brute-force password cracking of front-end systems2 and injecting code into specific pages on e-commerce platforms such as Magento to avoid detection. Most recent attacks, however, include targeting vulnerable Magento extensions by exploiting zero-day vulnerabilities in popular store extension software in order to inject skimmer scripts.3

Magecart’s card skimming code has evolved over time. In 2015, Sucuri reported on malicious code found in a customer’s e-commerce site:
https://blog.sucuri.net/2015/04/impacts-of-a-hack-on-a-magento-ecommerce-website.html

On October 10, 2017 Sucuri reported on Magento database injections that they had investigated. They identified the following code injection containing hex encoded malware which looked for the payment form where users entered their credit card information4:

As well as code injection which attempted to send customer credit card information to a domain associated with this Magecart event4:


https://blog.sucuri.net/2017/10/credit-card-stealer-investigation-uncovers-malware-ring.html

On September 11, 2018 RiskIQ reported that the British Airways main website and mobile app were affected by a breach which occurred between August 15 and September 5, 2018.5 The skimmer code was 22 lines of script.

https://www.riskiq.com/blog/labs/magecart-british-airways-breach/

On September 19, 2018 RiskIQ reported the online retailer Newegg had been compromised. Magecart operators registered neweggstats[.]com domain on August 13, 2018. The skimmer code was active around August 14th through September 18th. The skimmer code was reduced to 15 lines of script.6

https://www.riskiq.com/blog/labs/magecart-newegg

Security researcher, Willem de Groot, who has been tracking MageCart since 2015 reported this November "over 40,000 stores have been hijacked since 2015.” Additionally, he stated, “in the last 3 months alone, I counted 5,400 unique online stores that got a skimmer added to their checkout pages.”7

As the holiday season approaches, consumers will be conducting online transactions such as purchasing travel and lodging reservations, as well as engaging in Cyber Monday. Retailers, hotels, and airlines have the potential to be heavily targeted during this time and must take the necessary precautions to ensure they can detect if code has been modified in e-commerce sites or their mobile applications. We assess with moderate confidence that financially motivated actors will take lessons learned from the Magecart campaigns and attempt these TTPs and tradecraft in attempts to compromise legitimate sites for profit.

 

1 https://www.cnbc.com/2018/11/06/us-christmas-retail-sales-to-surpass-1-trillion-this-year-emarketer.html
2https://threatpost.com/magecart-group-targets-shopper-approved-in-latest-attack/138090/
3https://securityaffairs.co/wordpress/77365/cyber-crime/magecart-new-tactic.html
4https://blog.sucuri.net/2017/10/credit-card-stealer-investigation-uncovers-malware-ring.html
5https://www.riskiq.com/blog/labs/magecart-british-airways-breach/
6https://www.riskiq.com/blog/labs/magecart-newegg
7https://gwillem.gitlab.io/2018/11/12/merchants-struggle-with-magecart-reinfections/

- Danny Pickens
Director, Threat Research