Magecart Group 12 compromised a script belonging to a French advertising company Adverline, in order to inject Magecart code into its client's websites. This script is used by Adverline's customers to retarget advertisements based on a visitors interests or other behavior. The injected Magecart code was designed to steal payment card details entered in checkout pages.
In November 2018, Magecart group 12 compromised the content delivery network (CDN) of Adverline, a French company that runs an advertising network with a predominantly EU clientele. The threat group injected malicious code into Adverline’s clients’ websites via the compromised script.
Researchers from RiskIQ noted that this compromised script would first load a fingerprinting script that would detect if the visitor was a legitimate customer or a security researcher attempting to analyze the site.
However, Yonathan Klijnsma, a researcher at RiskIQ told BleepingComputer that even though the Magecart used fingerprinting, it still failed to prevent RiskIQ's crawlers from detecting the malicious code.
The 13 keywords
The 13 keywords include onepage, checkout, store, cart, pay, panier, kasse, order, billing, purchase, basket, ymix, or paiement.
RiskIQ researchers noted that among the 13 words, 10 are in English, 2 in French, and 1 in German, indicating that Magecart was aware that most of the Adverline ads were on local EU sites.
Researchers from TrendMicro have also been tracking Magecart group activities and found a significant increase in activity.
“On January 1, we detected a significant increase in activity from one of the web skimmer groups we’ve been tracking. During this time, we found their malicious skimming code loaded on 277 e-commerce websites providing ticketing, touring, and flight booking services as well as self-hosted shopping cart websites from prominent cosmetic, healthcare, and apparel brands,” TrendMicro said.