Magecart Attacks Grow Rampant in September

Attacks that compromise websites with scripts that steal payment card data from checkout pages have increased to hundreds of thousands of attempts in little over a month.

The most publicized incidents resulting from these attacks are from cybercriminal campaigns known as Magecart, with one group apparently being responsible for compromising the websites of Ticketmaster, British Airways, Feedify, and Newegg.

Magecart campaigns consist of breaching websites and injecting a malicious script that loads on payment pages to collect the card details provided by users at checkout. The data is packaged and sent to a domain controlled by the attacker. This form of theft is also known as formjacking, payment card scraping or web-based skimming.

Symantec noticed a rise of this type of attack recently, recording 248,000 attempts since August 13, with most of them (36%) occurring September 13 through 20.

“If we compare the week of September 13 to 20 to the same week in August, the number of instances of formjacking blocked by Symantec more than doubled, jumping from just over 41,000 to almost 88,500—a percentage increase of 117 percent,” Symantec informs.

Symantec is not the only one doing something against Magecart activity. Earlier today, security researcher Kevin Beaumont tweeted that the number of domains and scripts associated with Magecart campaigns reached more than 1,000.

#TrackingMagecart I’ve updated the IoCs to double the number of domains, now tracking over 1000 objects –
some of the domains have now been sinkholed.
Recommend InfoSec vendors block/flag domains.
— Kevin Beaumont (@GossiTheDog) September 25, 2018

Yesterday, the researcher had just 78 indicators of compromise (IoC), showing that the campaign is in full swing.

His efforts are not singular in this endeavor, as cybersecurity company RiskIQ has been sinkholing domains in the Magecart infrastructure since last week.

Yonathan Klijnsma, Threat Researcher Lead for RiskIQ, says that they’re also alerting affected parties of the compromise.

We started the process of sinkholing all magecart infrastructure some time ago, since last week it has started to be processed through. We aren’t collecting the data, it is processed through a non-profit to automate reporting to every affected party. More details soon.
— Yonathan Klijnsma (@ydklijnsma) September 25, 2018

Magecart activity has been tracked since 2015 by at least one security expert, Willem de Groot. He created the MageReport malware scanning website where one can check if their Magento-based webshop is vulnerable to known security issues.

de Groot’s scanner now includes Magecart IoCs collected by Kevin Beaumont, allowing more websites to check their code for tracks pointing to a Magecart campaign.