• Magecart group 12 recently compromised an advertising script to inject malicious code into hundreds of websites.
  • The injected Magecart code was designed to steal payment card details entered in checkout pages.

Magecart Group 12 compromised a script belonging to a French advertising company Adverline, in order to inject Magecart code into its client's websites. This script is used by Adverline's customers to retarget advertisements based on a visitors interests or other behavior. The injected Magecart code was designed to steal payment card details entered in checkout pages.

What happened?

In November 2018, Magecart group 12 compromised the content delivery network (CDN) of Adverline, a French company that runs an advertising network with a predominantly EU clientele. The threat group injected malicious code into Adverline’s clients’ websites via the compromised script.

Researchers from RiskIQ noted that this compromised script would first load a fingerprinting script that would detect if the visitor was a legitimate customer or a security researcher attempting to analyze the site.

  • If it detected that it was not a valid customer, then it would not load the script which is designed to steal credit card details.
  • If it detected that the visitor was a valid customer, then the malicious code scans the URL for 13 keywords before loading the actual skimmer script.
  • Once the keywords scanning is done, Magecart toolkit would then load the skimmer script attempting to steal the information entered into form fields where it is stored into the browser's local storage.
  • Finally, the script sends the collected information back to a remote server which is controlled by the attacker. While sending back the information, it would be "performed through a URL-encoded POST request which has the stolen information base64 encoded into the body."

However, Yonathan Klijnsma, a researcher at RiskIQ told BleepingComputer that even though the Magecart used fingerprinting, it still failed to prevent RiskIQ's crawlers from detecting the malicious code.

The 13 keywords

The 13 keywords include onepage, checkout, store, cart, pay, panier, kasse, order, billing, purchase, basket, ymix, or paiement.

RiskIQ researchers noted that among the 13 words, 10 are in English, 2 in French, and 1 in German, indicating that Magecart was aware that most of the Adverline ads were on local EU sites.

Researchers' recommendations

  • Researchers advise end users to turn off JavaScript support in the browser while shopping online as Magecart code is a JavaScript.
  • They recommend users to employ services that provide unique payment card numbers for one-time online transaction, or card numbers that are valid only for a limited amount of time.
  • They also ask users to ensure that their web servers and the software are periodically updated.
  • Researchers suggest users implement subresource integrity (SRI) so that modified scripts are not loaded without their permission.
  • They further recommend hosting third-party scripts on own servers rather than hosting on a third-party server.

Researchers from TrendMicro have also been tracking Magecart group activities and found a significant increase in activity.

“On January 1, we detected a significant increase in activity from one of the web skimmer groups we’ve been tracking. During this time, we found their malicious skimming code loaded on 277 e-commerce websites providing ticketing, touring, and flight booking services as well as self-hosted shopping cart websites from prominent cosmetic, healthcare, and apparel brands,” TrendMicro said.

Cyware Publisher