Magecart Attacks Grow Rampant in September

Discussion in 'other security issues & news' started by guest, Sep 25, 2018.

  1. guest

    guest Guest

    Magecart Attacks Grow Rampant in September
    September 25, 2018
    https://www.bleepingcomputer.com/news/security/magecart-attacks-grow-rampant-in-september/
     
  2. 142395

    142395 Guest

    Another proof why default-deny on browser is important.
     
  3. guest

    guest Guest

    Magecart Group Compromises Plugin Used in Thousands of Stores, Makes Rookie Mistake
    October 9, 2018
    https://www.bleepingcomputer.com/ne...-in-thousands-of-stores-makes-rookie-mistake/
     
  4. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    But the article says that the webpage itself is compromised, not the browser. I don't see how default-deny on browser will help.
    "Magecart campaigns consist of breaching websites and injecting a malicious script that loads on payment pages to collect the card details provided by users at checkout. The data is packaged and sent to a domain controlled by the attacker. This form of theft is also known as formjacking, payment card scraping or web-based skimming."
     
  5. 142395

    142395 Guest

    Maybe your def of default-deny is diff from mine in this context (I guess, you meant sth like anti-exe). If you block scripts (as well as other things such as iframe), those injected malicious scripts don't run. (default-deny may be kinda buzz word.)
     
  6. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    You can block and disable 500 things on your local machine, and use a sandbox inside a virtual machine, but nothing will help if the data is stolen straight off the website.
     
  7. 142395

    142395 Guest

    If their DB was compromised. In the case described in the article, what was compromised was web page. In this case blocking responsible scripts is enough.
    Decent sites separate DB server from front page. Ofc terrible sites may not.

    [EDIT:] grammar
     
    Last edited by a moderator: Oct 12, 2018
  8. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Can you block scripts from running on their webpage by blocking script interpreters on your computer?
    AFAIK, at the moment you enter data on a webpage, the security of your data now depends totally on the webmaster. You placed your data in his hands.
     
  9. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    I would like to hear input from other forum members on this point.
     
  10. guest

    guest Guest

    No Cookies for CartThief, a New Magecart Variant
    October 12, 2018
    https://www.infosecurity-magazine.com/news/no-cookies-for-cartthief-a-new/
     
  11. 142395

    142395 Guest

    When you access a page, your browser sends a request to the server and the server returns a file/files (embedded in http response) which may include javascript and/or images etc. Then your browser interpret this and draw the page. This is how http works roughly & basically. There're exception like Node.js which allows server-side JS simultaneously interact with client-sides' but if you wanna abuse server-side JS, you'll anyway need to alter client-side JS too AFAIK. Also, doing dubious thing on server may increase the risk of being detected quicker (the server somehow starts to connect to unknown domain(s)).

    A question is if the Magecart & its variants are implemented as 3rd party script or 1st party, as I guess not so many ppl block 1st party script by default. Quick search showed there're both cases: some are 3rd and others are 1st. But further reading gave me this fact: the malicious code eventually send credentials to their server (disguised as legitimately-looking domain) via jQuery.ajax. So if you block XHR by default (easy for uMatrix or RequestPolicy, not easy for uBO), you'll be still safe.

    It's also no harm to check whether your impo sites apply SRI (and other counter measures for various threats such as X-Frame-Options) if they use 3rd party contents, considering the likelihood your data is leaked by those sites is much higher than that you get malware (assuming you already have sufficient prot) - tho we can't exactly know how secure their server is, website is a barometer for their seriousness about security, as well as other visible ones (SSL security, passwd requirements, DNSSEC, and email security such as encryption and SPF+DKIM if they use their own email). I've been wondering why "which service to go?" rarely become a topic compared to plenty of "which product to use?". It's one of impo factor when I choose a web service.
     
  12. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Thanks. That's interesting. I understand that it is a complex interaction of server-side and client-side actions. So we can benefit in cases like this from the advanced browser extensions you mentioned.
     
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Protecting applications from malicious scripts
    https://www.helpnetsecurity.com/2018/10/17/protect-applications-malicious-scripts/
     
  14. guest

    guest Guest

    Magecart group leverages zero-days in 20 Magento extensions
    October 23, 2018
    https://www.zdnet.com/article/magecart-group-leverages-zero-days-in-20-magento-extensions/
     
  15. guest

    guest Guest

    Magecart claims fresh victim in electronics kit seller Kitronik
    November 2, 2018
    https://www.zdnet.com/article/magecart-claims-fresh-victim-in-kitronik/
     
  16. guest

    guest Guest

    Magecart Cybercrime Groups Mass Harvest Payment Card Data
    November 13, 2018
    https://www.inforisktoday.com/magecart-cybercrime-groups-mass-harvest-payment-card-data-a-11700
     
  17. guest

    guest Guest

    Merchants struggle with MageCart reinfections
    1 in 5 compromised merchants get reinfected, average skimming operation lasts 13 days
    November 12, 2018

    https://gwillem.gitlab.io/2018/11/12/merchants-struggle-with-magecart-reinfections/
     
  18. guest

    guest Guest

    Magecart group hilariously sabotages competitor
    ...but it's still stealing your card data
    November 20, 2018

    https://www.zdnet.com/article/magecart-group-hilariously-sabotages-competitor/
     
  19. guest

    guest Guest

    Southeby’s Site Infected with Magecart for Over a Year
    December 3, 2018
    https://www.infosecurity-magazine.com/news/southebys-site-infected-magecart/
     
  20. guest

    guest Guest

    Payment Info Stolen from High-Profile Stores' Users via Formjacking Redirection
    The campaign targeted top worldwide shopping websites
    December 6, 2018

    https://news.softpedia.com/news/pay...sers-via-formjacking-redirection-524154.shtml
     
  21. guest

    guest Guest

    New Magecart Group Hits Hundreds of Sites Via Supply Chain
    January 16, 2019
    https://www.infosecurity-magazine.com/news/new-magecart-group-hits-hundreds/
    RiskIQ blog entry: New Year, Same Magecart: The Continuation of Web-based Supply Chain Attacks
     
  22. guest

    guest Guest

    Bad extensions now main source of Magento hacks: a solution!
    January 29, 2019
    https://gwillem.gitlab.io/2019/01/29/magento-module-blacklist/
     
  23. guest

    guest Guest

    Hackers spring into life at The Great British Florist
    February 5, 2019
    https://www.finextra.com/newsarticle/33314/hackers-spring-into-life-at-the-great-british-florist
     
  24. guest

    guest Guest

    Topps.com Sports Collectible Site Exposes Payment Info in MageCart Attack
    February 27, 2019
    https://www.bleepingcomputer.com/ne...site-exposes-payment-info-in-magecart-attack/
     
  25. guest

    guest Guest

    MageCart Group Evolves Tactics To Better Steal Your Credit Cards
    February 28, 2019
    https://www.bleepingcomputer.com/ne...es-tactics-to-better-steal-your-credit-cards/
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.