Magecart targets Shopper Approved with massive supply chain attack
- The attackers skimmed payment information from multiple online stores instead of directly targeting a store.
- A malicious code was planted into numerous third-party sites that utilized Shopper Approved’s customer rating widget.
Shopper Approved - a third-party application that provides rating seals for online stores - was hit by the notorious Magecart cyber-espionage group. The attackers skimmed payment information from multiple online stores instead of directly targeting a store.
Shopper Approved provides a “review widget” that companies can embed onto their sites and collect ratings and reviews from customers. RiskIQ, the cybersecurity firm that discovered the attack said that the hacker group had gained access to Shopper Approved’s server infrastructure and embedded malicious code inside a file located at hXXps://shopperapproved[.]com/seals/certificate[.]js[.].
The same drop server that was used in this attack was also used in the Feedify hack, which was also attacked by the Magecart malware in mid-September.
Magecart is cyberespionage group that has been active since 2015. Over the past few months, the hacker group has launched attacks against organizations such as the Ticketmaster, British Airways and Newegg.
The group primarily makes use of digital card skimmers, which are scripts injected into the targeted company’s websites, to steal customers’ payment card information. The British Airways breach that occurred in September saw Magecart hackers steal 380,000 customers’ payment card information.
Magecart uses a digital variant of the traditional card skimmer device, which is commonly used by attackers on ATM and card reader devices, to steal payment card information.
“The skimmer itself is built to skim any form on a page when it is submitted (input fields, select drop-downs, text areas, check-boxes, and buttons specifically). However, they filter the URL the victim is on to make sure it is a checkout page. This filters what they are skimming down to payment information,” Yonathan Klijnsma, a threat researcher with RiskIQ told Threatpost.
The malicious skimmer was added to a legitimate script that ensures that the Shopper Approved plug-in works on other sites. The skimmer was left active starting September 15 for two days before it was discovered and removed, Klijnsma told Threatpost.
Shopper Approved investigating the attack
A Shopper Approved spokesperson said that the company has taken the necessary steps to remediate the issue and has initiated an internal investigation into the incident.
“The incident only affected a small portion of our customers that use the Shopper Approved seal on their website, and we have reached out directly to those we believe may have been affected,” the spokesperson told Threatpost. “The security of our systems and customers is a top priority for Shopper Approved, and we regret any inconvenience this incident may have caused.”
Further insight into the malicious code
The incident gave RiskIO researchers a better understanding of the attack methods used by the Magecart hacker group. The attackers made a mistake while copy-pasting the Magecart skimmer code inside Shopper Approved’s certificate.js file. However, the hacker replaced the wrong code with an obfuscated and non-readable version 15 minutes later. Researchers said that this information can help in tracking down the group’s code on the internet.