Magecart attackers compromise over 80 eCommerce sites

• All of the compromised e-commerce websites are running an outdated version of Magento such as v1.5, v1.7, or v1.9.
• 25% of these compromised websites are large brands in the motorsports industry and luxury retail.

What’s the matter?

Security researchers from Aite Group and Arxan Technologies have discovered that Magecart attackers have compromised over 80 eCommerce websites.

A brief overview

Researchers from Aite Group analyzed e-commerce websites and within 2.5 hours of research they found out at least 80 e-commerce sites that were compromised by Magecart attackers.

The research revealed that 100% of the analyzed eCommerce websites were not protected and were vulnerable to digital card skimming and formjacking attacks.

Researchers reported their findings to federal law enforcement and are notifying all the impacted e-commerce organizations. The compromised e-commerce sites belong to various countries such as the United States, Canada, Europe, Latin America, and Asia. However, the names of the victim sites were not revealed.

“To conduct this research, Aite Group used a source code search engine that scoured the web for obfuscated JavaScript that was found in repeating patterns of previously published Magecart breaches on pastebin.com.” read the report.

Key findings

• All of the compromised e-commerce websites are running an outdated version of Magento such as v1.5, v1.7, or v1.9 that are vulnerable to arbitrary file upload, remote code execution, and cross-site request forgery vulnerabilities.
• 25% of these compromised websites are large brands in the motorsports industry and luxury retail.
• All of these compromised sites failed to use in-app protection such as code obfuscation and tamper detection.
• All the eCommerce sites were not compromised by a single group of Magecart attackers.
• Apart from selling the stolen payment card data on the dark web forums, the attackers also purchase merchandise on legitimate online shopping sites with the stolen payment card data and reship them to pre-selected merchandise mules.

“The attacker has the purchased items shipped to their merchandise mules. To recruit merchandise mules, the attacker posts jobs that offer people the ability to work from home and earn large sums of money to receive and reship merchandise purchased with the stolen credit card numbers,” wrote the researchers in the report.

Recommendations

• Researchers have recommended the e-commerce websites to update or patch their platform software to the latest version as soon as possible.
• They have suggested e-commerce sites to implement code obfuscation and white-box cryptography to make the web forms unreadable.
• Online shoppers are also advised to periodically review their payment card details and bank statements for any suspicious activity.