Attackers injected Github-hosted Magecart Card Skimmer on thousands of e-commerce sites

• The Magecart card skimmer script was uploaded to Github on April 20 by a user who goes under the name ‘momo33333’.
• After Segura disclosed the fraudulent use of GitHub service for infecting e-commerce sites with Magecart card skimmer script, Github immediately took down the skimmer script.

What is the issue - Attackers compromised the Magento installations of thousands of e-commerce websites to inject Github-hosted Magecart Card Skimmer script.

Why it matters - These malicious campaigns are observed since early April and almost 2,440 websites were found to be infected with Magecart card skimmer scripts since then.

The big picture

A security researcher from Malwarebytes Jerome Segura noted that the Magecart card skimmer script was uploaded to Github on April 20 by a user who goes by the name ‘momo33333’.

Segura also noted that the skimmer script has been obfuscated with a hexadecimal encoding.

After Segura disclosed the fraudulent use of GitHub service for infecting e-commerce sites with Magecart card skimmer script, Github immediately took down the skimmer script.

However, Segura noted that attackers behind this MageCart campaign can easily inject a new skimmer script hosted on servers they control or on other legitimate hosting services.

“It is critical for e-commerce site owners to keep their CMS and its plugins up-to-date, as well as using secure authentication methods. Over the past year, we have identified thousands of sites that are hacked and posing a risk for online shoppers,” Segura said.

Worth noting

• According to urlscan.io and PublicWWW scans, there are over hundreds of compromised websites with links to GitHub-hosted MageCart card skimmer.
• This campaign seems to be part of the larger MagentoCore skimming campaign that infected almost 7339 Magento stores last year.