Magecart

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

Magecart is a consortium of malicious hacker groups who target online shopping cart systems, usually the Magento CMS (hence the name). They steal customer payment card information.

Shopping carts are attractive targets because they collect payment information. When malware taps into this data stream, you have a ready-made card collection tool. The problem facing ecommerce sites is they don’t properly vet the code that is used with these third-party pieces.

The following is a listing of noteworthy campaigns involving Magecart seen in the month of January:

• An administration and e-commerce platform for K-12 schools and other educational institutions, suffered a Magecart attack in early January. Skimmers present on the websites collected names, payment-card numbers, expiration dates and CVV codes, as well as user IDs and passwords. No Social Security numbers, driver license numbers, or similar government ID card numbers were caught up in the breach

• Magecart targeted the website of a popular photography and imaging retailer to inject malicious code that stole customer payment card details. To hide the malicious traffic, the attackers registered a look-a-like domain that resembled a legitimate ZenDesk domain. This particular skimmer only acted when the customer made a purchase as a guest.

• A U.S. children's apparel maker and online retailer disclosed that its online purchasing platform was part of a Magecart attack to steal customer payment information. They were made aware when law enforcement officials informed the company that "credit cards used on its website were available for purchase on a dark web site."

• Concerned global citizens making donations to help fight the massive Australian bushfires were caught up in a Magecart attack. One of the attacker groups implanted a payment-card skimmer on the check-out page of a legitimate online donation site. In this instance, it was publicly acknowledged that the root cause was the site owners were running outdated Magento software.

• Multiple European websites for a cosmetic brand were hit with Magecart attacks. It appears that two different Magecart groups were competing for the credit card data on websites in the U.K., Italy, and Germany, but current evidence shows that only one exfiltrated the details successfully.