Magecart Scammers Exploit the Pandemic to Strech Their Attack Surface

With the rise in attacks against a variety of industries, especially during the lockdown period, it has been a challenge to keep the front line of defense in the best shape throughout. Lately, Magecart attackers have been attempting to expand their territory, requiring organizations to be super-vigilant.

Making the headlines

Web skimmers are used to test new ways to circumvent vulnerable networks and conceal malware within systems. Recently, Magecart actors were found using web skimmers to target two of the world's biggest retail chains.
  • Security firms Sanguine Security and ESET have confirmed breaches in the websites of two companies - Claire's and Intersport, respectively.
  • Attackers also hid malicious code to record payment card details entered during the checkout process of these websites.
  • As per reports, Claire's website, along with its sister-site Icing, were compromised between April 25 and April 30.

More about Claire’s attack

  • Cybercriminals registered the domain name claires-assets[.]com, just a day after the store closed all of its 3000 physical locations due the COVID-19 threat.
  • The group then unleashed the attack on a server hosted on the Salesforce Commerce Cloud by attaching skimmer to a submit button on the checkout form.
  • Attackers deliberately chose an image file for the exfiltration of data since image requests are not often monitored by security systems.
  • The attack lasted for a month and a half, and the financial damage caused is not known as of now.

Some info about Intersport attack

  • ESET researchers also revealed that the attack compromised the retailer’s website twice.
  • When the first attack took place on April 30, its systems were cleaned on May 3 upon the detection of malware. Then there was another attack on May 14.
  • The infected online stores were those of Croatia, Serbia, Slovenia, Montenegro, and Bosnia and Herzegovina.
  • The number of affected customers has not been disclosed by the company.

Web skimmers behind emergency services

Sectors such as retail, media, and hospitality are often the targets of various Magecart groups, but there was an incident last week where attackers laid a trap for emergency services. This time, they shrouded their way via unprotected server database to infect the website.
  • Last week, the cybersecurity firm RiskIQ shared its findings wherein a Magecart group compromised three websites belonging to Endeavor Business Media via misconfigured AWS S3 data storage buckets.
  • As per the report, hackers attempted to steal credit card information and carry out malvertising campaigns.
  • The targeted sites were hosting emergency services-related content and chat forums catering to firefighters, police officers, and security professionals.
  • By the time report was out, the websites were still hosting the malicious JavaScript skimming code.

The Magecart attack trend

In a recent RiskIQ report titled “Analysis of an Attack Surface,” researchers have referred to JavaScript threats like Magecart as a new frontier of cybercrime.
  • The firm observed a 30% surge in Magecart web skimmers for online shopping.
  • It further claimed to detect 2,552 Magecart attacks or 425 instances per month.

Closing lines

A brand’s reputation goes for a toss whenever their network is compromised. While organizations must identify threats before any sizable damage occurs, at the same time, they are advised to pay attention to account statements for unauthorized transactions and mitigate them quickly.