Security Affairs



Magecart cybercrime group is threatening e-commerce websites worldwideIntroductionIn the recent weeks, the Magecart cybercrime group has conducted a number of successful attacks against e-commerce websites worldwide.The group is specialized in compromising e-commerce websites to steal payment details belonging to visitors that make purchases online.The group is active since at least 2015, recently it hacked several websites, including Ticketmaster and?British Airways. The Magecart hackers use to compromise website by injecting a skimmer script in the pages involved in the payment process.Let’s analyze the attacks to better understand how this threat actor work.DateVictimAugust - September 2018NeweggAugust - September 2018FeedifyAugust 2018British AirwaysNeweggIn September 2018, security experts observed an intensification of the activity associated with the Magecart?cybercrime group. Once of the victims is the?computer hardware and consumer electronics retailer Newegg, crooks have stolen customers’ credit card data from its website.Researchers from security firms?Volexity?and?RiskIQ?have conducted a joint investigation on the security breach.“Volexity?was able to verify the presence of?malicious JavaScript code limited to a page on?secure.?presented during the checkout process at Newegg. The malicious code specifically appeared once when moving to the Billing Information page while checking?out.”?reported?Volexity.“This page, located at the URL?, would collect form data, siphoning it?back to the attackers over SSL/TLS via the domain?.”The Magecart group?managed to compromise the?Newegg?website and steal the credit card details of all customers who made purchases between August 14 and September 18, 2018.“On August 13th Magecart operators registered a domain called??with the intent of blending in with Newegg’s primary domain,?. ?Registered through Namecheap, the malicious domain initially pointed to a standard parking host.” reads the analysis?published?by RiskIQ.“However, the actors changed it to?217.23.4.11?a day later, a Magecart drop server where their skimmer backend runs to receive skimmed credit card information. Similar to the British Airways attack, these actors acquired a certificate issued for the domain by Comodo to lend an air of legitimacy to their page”Figure 1 - Newegg attack timelineThe attackers registered a domain called?neweggstats(dot)com (similar to Newegg’s legitimate domain )?on August 13 and?acquired an SSL certificate issued for the domain by Comodo.This technique is common to other attacks conducted by the gang, such as the one that recently hit British Airways website.On August 14, the group injected the skimmer script into the payment processing page of the official? retailer website. When customers made payment the attackers were able to access their payment details and send them?to the domain neweggstats(dot)com?they have set up.Figure 2 - skimmer script“The skimmer code is recognizable from the British Airways incident, with the same?basecode. All the attackers changed is the name of the form it needs to serialize to obtain payment information and the server to send it to, this time themed with Newegg instead of British Airways.” continues RiskIQ.“In the case of Newegg, the skimmer was smaller because it only had to serialize one form and therefore condensed down to a tidy 15 lines of script”Experts pointed out that the users of both desktop and mobile applications were affected by the hack.Customers that made purchases on the?Newegg website?between August 14 and September 18, 2018,?should immediately block their payment card.FeedifyOn September, MageCart?cybercrime gang stole payment card data from customers of hundreds of e-commerce websites using the cloud service firm Feedify.The Feedify?Cloud service is used by over 4,000 customers, it is a cloud platform to engage customers’ clients with powerful tools that target them based on their behavior.Feedify customers have to deploy a JavaScript script into their websites to use its service. The attackers targeted the supply chain for the Feedify service in order to target all the customers of the company, they targeted the script that was installed on clients’ websites.The script loads various resources from Feedify’s infrastructure, including a library named “feedbackembad-min-1.0.js,” which was compromised by MageCart.Figure 3 - Feedify scriptEvery time netizens visits a page of the e-commerce site of one of the Feedify customers, it will load the malicious script that is used by Magecart gang to siphon personal information and payment card data. compromised the website using the Feedify service by injecting their malicious code into a library the Feedify script served to customers’ websites.Security experts from RiskIQ speculate MageCart hackers might have had access to the?Feedify servers for nearly a month.Once notified Feedify the compromise, the company?removed?the malicious script:, in this case, the attackers were able to take over the Feedify library again and re-infect the websites using it. circumstance that suggests the hackers were able to compromise the architecture of the company.At the time of attack, querying the? HYPERLINK "" \t "_blank" PublicWWW?service it was possible to verify that the MagentoCore script was deployed on 5,214 domains, two weeks later, the number of compromised websites is still important (3496) despite the news of the attack was reported by many media.British AirwaysBritish Airways is probably one of the most popular victims of the recent activity of the MageCart gang. Researchers at RiskIQ attributed the attack against the website of the airline to the infamous crime gang. The MageCart group carried out a targeted attack against the British Airways and used a customized version of the skimmer script that allowed it to remain under the radar.The hackers used a dedicated infrastructure for this specific attack against the airline.“This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the?Magecart?skimmer which grabbed forms indiscriminately. This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.” reads the?analysis?published by RiskIQ.“The infrastructure used in this attack was set up only with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection. We saw proof of this on the domain name??as well as the drop server path.?“RiskIQ Experts analyzed all the scripts loaded by the website and searched for any evidence of recent changes.They noticed some changes in the Modernizr JavaScript library, the attackers added some lines of code at the bottom of the code to avoid causing problems to?the script.?The JavaScript library was modified on August 21, 20:49 GMT.The malicious script was loaded from the baggage claim information page on the British Airways website, the code added by the attackers?allowed Modernizr to send payment information from the customer to the attacker’s server.Figure 4 - British Airways websiteThe skimmer script works also for the mobile app, this means that also customers using it were affected.The data stolen from the British Airways was sent in the form of JSON to a server hosted on? that?resembles the legitimate domain used by the airline. It is interesting to note that the hackers purchased an SSL certificate from Comodo to avoid raising suspicion.“The domain was hosted on?89.47.162.248?which is located in Romania and is, in fact, part of a VPS provider named Time4VPS based in Lithuania. The actors also loaded the server with an SSL certificate. Interestingly, they decided to go with a paid certificate from Comodo instead of a free LetsEncrypt certificate, likely to make it appear like a legitimate server:” continues RiskIQ.At the time it is still unclear how MageCart managed to inject the malicious code in the British Airways website.“As we’ve seen in this attack,?Magecart?set up custom, targeted infrastructure to blend in with the British Airways website specifically and avoid detection for as long as possible. While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing?assets.”? concludes RiskIQ.References About the Author 5207037465Pierluigi Paganini is the Head?of Cybersecurity Services?Grant?Thornton Consultants and CTO at CSE - CybSec Enterprise SpAPierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download