- The Magecart card skimmer script was uploaded to Github on April 20 by a user who goes under the name ‘momo33333’.
- After Segura disclosed the fraudulent use of GitHub service for infecting e-commerce sites with Magecart card skimmer script, Github immediately took down the skimmer script.
What is the issue - Attackers compromised the Magento installations of thousands of e-commerce websites to inject Github-hosted Magecart Card Skimmer script.
Why it matters - These malicious campaigns are observed since early April and almost 2,440 websites were found to be infected with Magecart card skimmer scripts since then.
The big picture
A security researcher from Malwarebytes Jerome Segura noted that the Magecart card skimmer script was uploaded to Github on April 20 by a user who goes by the name ‘momo33333’.
Segura also noted that the skimmer script has been obfuscated with a hexadecimal encoding.
After Segura disclosed the fraudulent use of GitHub service for infecting e-commerce sites with Magecart card skimmer script, Github immediately took down the skimmer script.
However, Segura noted that attackers behind this MageCart campaign can easily inject a new skimmer script hosted on servers they control or on other legitimate hosting services.
“It is critical for e-commerce site owners to keep their CMS and its plugins up-to-date, as well as using secure authentication methods. Over the past year, we have identified thousands of sites that are hacked and posing a risk for online shoppers,” Segura said.
- According to urlscan.io and PublicWWW scans, there are over hundreds of compromised websites with links to GitHub-hosted MageCart card skimmer.
- This campaign seems to be part of the larger MagentoCore skimming campaign that infected almost 7339 Magento stores last year.