While Magecart attacks are dwindling in numbers, they are making up for it in stealth - reveals a recent Malwarebytes report. The researchers found out that client-side Magecart attacks are persisting and the market for stolen credit card information is buzzing.

Diving into details

  • A Sansec report, from June 9, disclosed a new skimmer domain. 
  • Three days later, another researcher tweeted about an allegedly suspicious host, along with its ties to a compromised e-commerce site. This was later confirmed in another tweet by another researcher. 
  • Upon investigating the reports, Malwarebytes researchers connected the domains to a larger campaign. 
  • The campaign dates back to Magecart activity from 2021, in which the skimmer hosted could detect VMs. 
  • While the VM code has since been eliminated, the new malware comes with varying naming schemes. 

Campaign connection

The researchers found several malicious domains by validating the skimmer activity. On the basis of one hash, the skimmers have been connected to a campaign from May 2020. The threat actor used three unique themes, named after JS libraries to hide the skimmer.

What’s changed?

In terms of attacks, WordPress with the WooCommerce plugin is gaining traction as the prime target among cybercriminals as compared to Magento. The last Magecart attack was observed in February, which attacked over 500 e-commerce sites running an outdated version of Magento. A single malware infected over 374 sites on the same day.

Moreover, the low frequency of Magecart attacks can be attributed to the low visibility of server-side attacks, since only a few attackers have access to PHP-based skimmers. In addition to this, cryptocurrency and other digital assets are more lucrative than credit cards, as evident through recent attacks.
Cyware Publisher