loader gif

Massive Magecart attack campaign breaches over 960 e-commerce stores

Massive Magecart attack campaign breaches over 960 e-commerce stores
  • The Magecart campaign is an automated attack campaign that breached almost 962 e-commerce stores in just 24 hours.
  • This campaign compromised e-commerce customers’ payment details including full credit card data, names, phone numbers, and addresses.

Sanguine Security Labs uncovered that a large-scale Magecart campaign breached almost 962 e-commerce stores in just 24 hours.

“Our crawlers detected 962 breached stores last night. It is the largest automated campaign to date (previously: MGCore with 700 stores),” Sanguine Security Labs tweeted.

Automated attack campaign

This Magecart campaign is an automated attack campaign that breached over 962 e-commerce stores and successfully stole customers’ payment card details in just 24 hours time-frame.

Security researcher Willen de Groot from Sanguine Security told that attackers inserted a customized Javascript on e-commerce sites, essentially inserting a fake credit card payment section. The customized skimmer script was designed to collect e-commerce customers’ payment details including full credit card data, names, phone numbers, and addresses.

“This is the largest number of breaches [of] stores over a 24-hour period, which implies that their operation is highly automated. Victims are from all over the world, so were likely chosen opportunistically,” Willem de Groot told Computer Business Review.

How such automated Magecart attacks work remains unknown as the logs are still being analyzed. However, the JavaScript-based payment data skimmer script was decoded and uploaded by the security company to GitHub Gist.

“I am still waiting for logs to accurately say how they got compromised, but at first glance it appears to be a PHP object injection exploit for an existing vulnerability,” he added.

Yet another Magecart attack

Security researcher Micham uncovered another Magecart attack, wherein attackers injected a malicious skimmer within the site of The Guardian via old AWS S3 bucket and using wix-cloud[.]com as a skimmer gate.

loader gif