Posted on June 4, 2023 at 8:29 AM

Hackers Launch Magecart Credit Card Stealing Campaigns To Compromise Legitimate Sites

Hackers have launched a new Magecart credit card stealing malicious campaign. In this campaign, the hackers have compromised legitimate sites and acted as “makeshift” command and control (C2) servers to deploy and hide the skimmers on the targeted eCommerce platforms.

Hackers compromise legitimate sites

The attack launched by these hackers is known as a Magecart hacking campaign. In this type of hacking attack, the hackers gain unauthorized access to online stores where they deploy malicious scripts. These scripts are then used to steal the credit card details of customers and their personal information during the checkout process.

This hacking campaign was revealed in a report published by Akamai researchers. The researchers said that the threat actors had compromised organizations across the United States, the United Kingdom, Australia, Peru, Brazil, and Estonia.

The cybersecurity company has also revealed that the majority of the victims that were targeted in this hacking campaign were breached for more than a month. The fact that many victims could not identify the activities of these hackers shows that they were stealth in their campaign to avoid being detected by the victims and antivirus programs.

The first step that was taken by these hackers was to detect vulnerable legitimate websites and conduct hacking campaigns against these websites. These sites were targeted to host malicious code. The hackers also used them as command-and-control servers that were later leveraged to enable the attacks.

These hackers later distributed credit card skimmers using these legitimate websites. The sites that were compromised were those with a positive reputation. The threat actors avoided detection and being blocked. These sites are also free from the need to set up their own infrastructure.

The next step taken by these attackers was to inject a small JavaScript snippet into the targeted commerce websites. The snippet will fetch the malicious code from the websites that were previously compromised.

The Akamai researchers have also said that it remained unclear how these sites were compromised. The hackers search for vulnerabilities within the targeted websites or on third-party services that are vulnerable to attacks.

“Although it is unclear how these sites are being breached, based on our recent research from similar, previous campaigns, the attackers will usually look for vulnerabilities in the targeted websites’ digital commerce platform (such as Magento, WooCommerce, WordPress, Shopify, etc.) or in vulnerable third-party services used by the website,” the Akamai researchers said.

As aforementioned, the hackers behind this campaign are stealth in their campaign to avoid detection and ensure that they can remain within the targeted devices while they remain hidden.

To avoid this detection, the attackers hid the skimmer using Base64 encoding. This skimmer also conceals the URL of the host, and it has also created its structure in a manner that looks similar to the one by Google Tag Manager or Facebook Pixel. The two are some of the most popular third-party services, and leveraging them to conduct an attack was less likely to cause suspicion.

Hackers compromise devices to steal data

The report that was published by the Akamai researchers revealed that there were two variants of the skimmer that were used to conduct this hacking campaign. The first variant involved a version that was heavily obfuscated.

This variant contained a list of CSS selectors that targeted the customer’s PII and credit card details. These CSS selectors varied for every targeted site. These selectors were also customized in a manner that would match the needs of every victim.

The second skimmer variant that was used in this attack did not have a high level of protection. Instead, it exposed indicators within the code that aided Akamai and capped the reach of this campaign, and detected the additional victims targeted in this campaign.

The skimmers in question also gained unauthorized access to the details of these customers. The data was also located within the attacker’s server through a HTTP request that was created in the form of an IMG tag within the skimmer.

A layer Base64 encoding also applies to the data in question and it is used to hide the transmission and to minimize the chances of the victim detecting this breach and to hide the nature of the attack.

The owners of the websites that were infected can defend themselves against the Magecart attacks by protecting the website admin accounts in the right manner. They can also install security updates for the plugins and CMS.

Customers at online shops are the most exposed to this threat. These customers can reduce the risk of exposure using electronic payment methods, virtual cards, and setting charge limits on their credit cards.