Most attackers who utilize malicious scripts known as MageCart to steal payment information usually try to keep a low profile to stay undetected on the sites they compromise. New research shows how one MageCart criminal group recently compromised an advertising script to inject MageCart into hundreds of sites at the same time.
This type of attack has been very active this past year, with large sites such as British Airways, TicketMaster, OXO, and Newegg being affected by these malicious scripts.
While most attackers who utilize MageCart will hack a few sites and hope to remain undetected, some groups compromise third-party scripts so that malicious code is injected into many sites at once.
In research by TrendMicro and RiskIQ, a new group known as Magecart Group 12 has compromised a script belonging to a French advertising company in order to inject MageCart into its customer's websites.
MageCart group compromises advertising script
New reports released today by both TrendMicro and RiskIQ disclose that hundreds of ecommerce sites were affected by a MageCart attack through a compromised advertising script from French online advertiser Adverline. This script is used by Adverline's customers to retarget advertisements based on a visitors interests or other behavior.
"On January 1, we detected a significant increase in activity from one of the web skimmer groups we’ve been tracking," stated TrendMicro's research. "During this time, we found their malicious skimming code (detected by Trend Micro as JS_OBFUS.C.) loaded on 277 e-commerce websites providing ticketing, touring, and flight booking services as well as self-hosted shopping cart websites from prominent cosmetic, healthcare, and apparel brands."
BleepingComputer was told by Yonathan Klijnsma, a threat researcher by RiskIQ who released their own report today, that Adverline did not respond to emails sent by the researchers, so TrendMicro contacted the CERT in France. While Adverline appears to have now cleaned up their code, prior to that numerous sites were affected between January 1st 2019 and January 5th.
In order to inject MageCart into customer sites, the attackers compromised a script used by Adverline to display ads on customer web pages.
This script would first load a fingerprinting script that would try to determine if the visitor was a legitimate customer rather than a security researcher or automated scanner trying to analyze the site. If it detected that it was not a valid user, the script would not load the script that performed the credit card skimming.
Klijnsma told BleepingComputer that even though the MageCart toolkit utilized fingerprinting, it still failed to prevent RiskIQ's crawlers from detecting the malicious codeOnce a visitor passed the fingerprinting stage, the script would check to see if the URLs contained the following English, French, or German keywords before loading the actual skimmer script.
If a consumer was on a targeted page, the MageCart toolkit would load the skimmer script that would then attempt to steal information entered into form fields where it is stored into the browser's local storage.
RiskIQ states that when script sends the data back to a remote server under the attacker's control, it would be "performed through a URL-encoded POST request which has the stolen information base64 encoded into the body."
Unfortunately, there is no one solution that can be given to web site owners on how to protect themselves from MageCart attacks. According to Klijnsma, the best "solution is to protect yourself from any kind of web attack."
This includes making sure your web servers and the software running on them have the latest security updates, implement subresource integrity (SRI) so that modified scripts are not loaded without your permission, and try to host third-party scripts on your own servers rather than on a third-party server.