News has emerged of yet another Magecart victim following a major breach affecting British Airways: this time a push notification service provider known as Feedify has been repeatedly targeted.
A Twitter user known as “Placebo” claimed on Tuesday that they had spotted the malicious script added to JavaScript code from the e-commerce supplier, which is said to serve thousands of websites.
However, RiskIQ threat researcher, Yonathan Klijnsma, explained that Feedify had actually been “affected” by Magecart since August 17. Despite the firm remediating the issue, it appeared that the hackers re-inserted it soon after.
Security researcher Kevin Beaumont warned e-commerce firms to remove Feedify.
“The Magecart code is back in @_Feedify's shared Javascript library again,” he explained. “All vendors (e-commerce, hotels etc) need to remove this JavaScript link ASAP from their stores as Feedify are clearly compromised.”
Feedify is the latest in a long line of Magecart victims. However, contrary to previous reports, Klijnsma explained that the attacks aren’t tied to a specific group but a number of separate entities all using the same code.
This explains why some attacks go for a supply chain provider, such as Feedify or Ticketmaster partner Inbenta Technologies, while others have targeted the e-commerce site directly, like the sophisticated BA attack.
Another victim of the group over recent weeks is fashion and home décor provider Groopdealz, according to Klijnsma. He revealed this week that the firm’s site was infected with the Magecart skimmer on August 5.
Magecart has been tracked since 2016: it’s code that operates on a website a bit like a card skimmer in that it detects and then steals card data as it is entered into an e-commerce site. Unlike in most traditional breaches where the attackers go after card databases, the CVV numbers can also be hoovered up via this skimming technique, making the stolen data more easily monetizable.