Magecart goes after OpenCart websites to steal payment information

• Magecart Group 12 compromises OpenCart sites by injecting skimmers similar to the ones used to target Magento-based sites.
• In addition to this, the group also tried faking the Bing search engine script.

Magecart group, which is well-known for carrying out credit card skimming attacks has now targeted OpenCart-based online stores. Yonathan Klijnsma of RiskIQ reported on this latest string of attacks carried out by the group.

According to the researcher, Group 12 of Magecart was found deploying skimmers on OpenCart sites similar to the ones used to target Magento-based sites. Furthermore, it made use of a domain name called ‘batbing[.]com’ in the exploits.

How was the attack executed?

• Klijnsma observed that Group 12 used a JavaScript code known as ‘pre-filter’ to decide if they wanted to inject skimmers on the site.
• The script searched for the word ‘checkout’ in the URL visited by shoppers and then proceeded with inserting the skimmer. Following this, the credit card information entered by users would be stolen.
• In addition, the attacks also featured an impersonation attempt of Bing’s search engine script on the checkout page.

Activities of Group 12

• This particular group is known for compromising Adverline’s client sites. Adverline is a French advertising company.
• Group 12 has also compromised numerous e-commerce sites running on Magento, OpenCart, and OSCommerce. Apart from this, several Wordpress sites were also targeted.
• They mainly target third-party services in e-commerce sites, by injecting skimming code in JavaScript libraries used in these sites.

Unpatched platforms are the major issue

In his blog, Klijnsma emphasized that the reason for such attacks. “Major online stores running these platforms are usually victimized when a platform-wide vulnerability comes out that requires immediate patching. But the majority of outdated platforms run on smaller, mostly unknown stores. Attackers target plugins installed on these platforms, which are often vulnerable because their developers write code for functionality over security,” Klijnsma wrote.