A notorious group behind digital skimming attacks has upped its game recently, infecting at least 40 new websites, according to researchers.
Magecart Group 12, one of many collectives using techniques designed to harvest card details from e-commerce websites, continues to adapt its modus operandi, according to researcher Max Kersten.
The current campaign has been running for several months, with the first hacked site linking to a skimmer domain on September 30 2019 and the most recent infection date being February 19 2020, he explained.
“The skimmer, hosted on jquerycdn.su, changed four times during the campaign. In the four versions of the skimmer that were used in this campaign, the used obfuscation method is the same as in the other reported campaigns,” he continued.
“The first stage loads the actual skimmer script, which is polluted with garbage code. The skimmer itself is different, compared to the first versions. The skimmer grabs all fields from the page, rather than all forms. Although the approach and script are different, the general concept remains the same: obtaining credit card credentials.”
Of the 39 new sites hit by the group, 13 were still compromised at the time of writing, despite being contacted by Kersten. Most appear to be SME-sized retailers who perhaps don’t have many resources to devote to cybersecurity. Consumers are urged not to shop on these sites.
Last month, Kersten and fellow researcher Jacob Pimental revealed how Magecart 12 was targeting ticket re-selling websites for the 2020 Olympics and UEFA Euro 2020 tournaments. Although the domain was taken down, the group simply swapped it for another and continued, highlighting the resilience of the threat, according to RiskIQ.
Tarik Saleh, senior security engineer at DomainTools, urged companies to ensure their underlying operating systems and web frameworks are patched and up-to-date to prevent common exploits running.
“Secondly, it’s important to adjust your web application’s Content Security Policy (CSP) to allow scripts running on it to be from your specific whitelisted domains,” he added.
“Thirdly, I recommend deploying a File Integrity Monitoring (FIM) solution to your website’s directory containing the scripts used for the checkout or payment handling process. FIM solutions are great for monitoring when files have been tampered with or added to your website, and in this case it won’t prevent you from being compromised, but it will let you know if Magecart has been installed.”
It’s believed that Magecart groups had infected over two million websites, as of October 2019.