New MageCart Attack Campaign Targets E-Commerce Websites

MageCart Attack Campaign
  • Hundreds of e-commerce website were affected by new MageCart attack campaign.
  • Attackers infected Websites through a compromised advertising script belonging to French online advertising company Adverline.
  • Attackers compromised content delivery network (CDN) of Adverline and injected code into the JavaScript library.
  • A new group called Magecart Group 12 were behind the attack.

Security researchers have discovered new MageCart attack campaign targeting e-commerce website through third party service providers.

In MageCart attacks, attackers compromise an e-commerce website and inject a malicious piece of javascript code in the source code. This will collect all the data entered by the user and send to a remote server handled by the attacker.

In this case, the skimming code was not directly injected in to the e-commerce website but through a compromised advertising script belonging to French online advertising company Adverline.

MageCart Attack Campaign
Attack chain of the online skimming attack source: Trend Micro

According to reports published by TrendMicro and RiskIQ, attackers behind the campaign is a new group called Magecart Group 12 which has similar attack modus as Magecart Group 5.

MageCart Group 5 was reported to be responsible for hacking of 12 third-party companies through which infection of thousands of e-commerce websites.

Hackers compromised the content delivery network (CDN) of Adverline and injected a piece of code into the JavaScript library for retargeting advertising.

In the analysis, researchers discovered 12 skimming code in websites embedded with Adverline’s retargeting script.


MageCart Group 12 uses two obfuscated scripts. The first script loads fingerprinting script which checks whether it’s a valid user if not it would not load the second script, the skimming code.


Country wise distribution of attacks source: Trend Micro

If its valid users, the second script before loading skimming code check whether URL contains following keywords onepage, checkout, store, cart, pay, panier, kasse, order, billing, purchase, basket, ymix, or paiement.

Once it detects any of the keywords in the URL it will load the skimming code and extract all payment information entered on the website and send to attackers remote server.

According to Trend Micro, Adverline was alerted about the incident and have cleaned up their code now.

For the latest cyber threats and the latest hacking news please follow us on FacebookLinkedin and Twitter.

You may be interested in reading:Blur Data Breach Potentially Exposed Data of 2.4 Million Users

Comments

Please rate this content