During the last several years there has been in increase in threat actor activity targeting online retailers with the sole purpose of collecting payment information from unsuspecting victims. One of the most recent and notorious threat actors behind this activity is a group referred to as MageCart. MageCart leverages a technique known as code injection where they directly compromise a website, and add the malicious code, or this is done through the compromise of third-party service the victim is using on their website. Each time a visitor goes through the payment process to make a purchase from a compromised website, this malicious codes steals a copy of their payment information including their credit card number.
MageCart has been active since 2015, and in their first year is believed to have compromised at least 3500 online retailers. Over the years they have exploiting numerous retailers using the Magento Content Management Systems (CMS) through, critical vulnerabilities, zero-day exploits, and brute force attacks, but also target popular online chat providers where this feature is present on the vulnerable retailers payment page. In compromising online chat providers this allowed for MageCart to increase the speed in which they could compromise retailers, and also the number of credit card information they could collect.
Timeline of Notable MageCart Activity in 2018 alone:
Ticketmaster international and national websites (February – June 2018)
- Ticketmaster UK notified its customers of a breach starting in February 2018 to June 23rd, 2018. Malicious software was identified through a third-party provider (Inbenta Technologies) of a customer support plugin injected into Ticketmasters website. After more investigation a unique piece of code that traces back to the MageCart group was found on Inbenta’s code. Ticketmaster uses many third-party service providers, and Inbenta was not the only one that was compromised by Magecart.
7000+ Retailers Compromised by MageCart (August 2018)
- Security Researcher Willem de Groot identified in 7339 online retail websites that were compromised by MageCart in August of 2018. They also identified that 50-60 new online retail websites compromised on a daily basis included multi-million dollar, publicly traded companies. When compromised, MageCart injected a malicious javascript file into the compromised websites to record the keystrokes of visitors to their website.
British Airways international website (August – September 2018)
- The largest airline in UK was also affected by MageCart and also reported a breach from August 21st and September 5th, 2018. According to the report, 380,000 payment cards were compromised as a result of this breach. Security researchers noticed addition of 22 lines of a familiar piece of malicious code into the source code of payment page in British Airways website.
Newegg website (August – September 2018)
- From August 14th to September 18th, this American online electronics retailer Newegg was also compromised with the similar method. Security researchers identified an improved and shortened variant of the skimmer code. This variant contained 15 lines of JavaScript code that was injected to the website’s payment page. This javascript was used to harvest information and send it to a malicious domain with similar name and a valid HTTPS certificate. At this time an unknown number of victims were affected.
Conclusion
These events demonstrate the need and importance for securing any website especially those who store, process and or manage payment or other type of personal information. Security Teams must proactively monitoring their webservers for any sign of malicious activity including unauthorized access, modification of files, as well as the presence and execution of unknown files. Penetration Tests and regular Vulnerability scans should also be done regularly to ensure the site is safe and secured. Regular patching and updates are not enough, and can only go so far to prevent threat actors such as MageCart from compromising their systems.