Magecart Attacks Grow Rampant in September

Discussion in 'other security issues & news' started by mood, Sep 25, 2018.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    8,925
    Magecart Attacks Grow Rampant in September
    September 25, 2018
    https://www.bleepingcomputer.com/news/security/magecart-attacks-grow-rampant-in-september/
     
  2. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,642
    Another proof why default-deny on browser is important.
     
  3. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    8,925
    Magecart Group Compromises Plugin Used in Thousands of Stores, Makes Rookie Mistake
    October 9, 2018
    https://www.bleepingcomputer.com/ne...-in-thousands-of-stores-makes-rookie-mistake/
     
  4. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,087
    But the article says that the webpage itself is compromised, not the browser. I don't see how default-deny on browser will help.
    "Magecart campaigns consist of breaching websites and injecting a malicious script that loads on payment pages to collect the card details provided by users at checkout. The data is packaged and sent to a domain controlled by the attacker. This form of theft is also known as formjacking, payment card scraping or web-based skimming."
     
  5. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,642
    Maybe your def of default-deny is diff from mine in this context (I guess, you meant sth like anti-exe). If you block scripts (as well as other things such as iframe), those injected malicious scripts don't run. (default-deny may be kinda buzz word.)
     
  6. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,087
    You can block and disable 500 things on your local machine, and use a sandbox inside a virtual machine, but nothing will help if the data is stolen straight off the website.
     
  7. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,642
    If their DB was compromised. In the case described in the article, what was compromised was web page. In this case blocking responsible scripts is enough.
    Decent sites separate DB server from front page. Ofc terrible sites may not.

    [EDIT:] grammar
     
    Last edited: Oct 12, 2018
  8. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,087
    Can you block scripts from running on their webpage by blocking script interpreters on your computer?
    AFAIK, at the moment you enter data on a webpage, the security of your data now depends totally on the webmaster. You placed your data in his hands.
     
  9. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,087
    I would like to hear input from other forum members on this point.
     
  10. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    8,925
    No Cookies for CartThief, a New Magecart Variant
    October 12, 2018
    https://www.infosecurity-magazine.com/news/no-cookies-for-cartthief-a-new/
     
  11. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,642
    When you access a page, your browser sends a request to the server and the server returns a file/files (embedded in http response) which may include javascript and/or images etc. Then your browser interpret this and draw the page. This is how http works roughly & basically. There're exception like Node.js which allows server-side JS simultaneously interact with client-sides' but if you wanna abuse server-side JS, you'll anyway need to alter client-side JS too AFAIK. Also, doing dubious thing on server may increase the risk of being detected quicker (the server somehow starts to connect to unknown domain(s)).

    A question is if the Magecart & its variants are implemented as 3rd party script or 1st party, as I guess not so many ppl block 1st party script by default. Quick search showed there're both cases: some are 3rd and others are 1st. But further reading gave me this fact: the malicious code eventually send credentials to their server (disguised as legitimately-looking domain) via jQuery.ajax. So if you block XHR by default (easy for uMatrix or RequestPolicy, not easy for uBO), you'll be still safe.

    It's also no harm to check whether your impo sites apply SRI (and other counter measures for various threats such as X-Frame-Options) if they use 3rd party contents, considering the likelihood your data is leaked by those sites is much higher than that you get malware (assuming you already have sufficient prot) - tho we can't exactly know how secure their server is, website is a barometer for their seriousness about security, as well as other visible ones (SSL security, passwd requirements, DNSSEC, and email security such as encryption and SPF+DKIM if they use their own email). I've been wondering why "which service to go?" rarely become a topic compared to plenty of "which product to use?". It's one of impo factor when I choose a web service.
     
  12. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,087
    Thanks. That's interesting. I understand that it is a complex interaction of server-side and client-side actions. So we can benefit in cases like this from the advanced browser extensions you mentioned.
     
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    10,190
    Location:
    Slovenia, EU
    Protecting applications from malicious scripts
    https://www.helpnetsecurity.com/2018/10/17/protect-applications-malicious-scripts/
     
  14. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    8,925
    Magecart group leverages zero-days in 20 Magento extensions
    October 23, 2018
    https://www.zdnet.com/article/magecart-group-leverages-zero-days-in-20-magento-extensions/
     
  15. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    8,925
    Magecart claims fresh victim in electronics kit seller Kitronik
    November 2, 2018
    https://www.zdnet.com/article/magecart-claims-fresh-victim-in-kitronik/
     
  16. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    8,925
    Magecart Cybercrime Groups Mass Harvest Payment Card Data
    November 13, 2018
    https://www.inforisktoday.com/magecart-cybercrime-groups-mass-harvest-payment-card-data-a-11700
     
  17. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    8,925
    Merchants struggle with MageCart reinfections
    1 in 5 compromised merchants get reinfected, average skimming operation lasts 13 days
    November 12, 2018

    https://gwillem.gitlab.io/2018/11/12/merchants-struggle-with-magecart-reinfections/
     
  18. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    8,925
    Magecart group hilariously sabotages competitor
    ...but it's still stealing your card data
    November 20, 2018

    https://www.zdnet.com/article/magecart-group-hilariously-sabotages-competitor/
     
  19. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    8,925
    Southeby’s Site Infected with Magecart for Over a Year
    December 3, 2018
    https://www.infosecurity-magazine.com/news/southebys-site-infected-magecart/
     
  20. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    8,925
    Payment Info Stolen from High-Profile Stores' Users via Formjacking Redirection
    The campaign targeted top worldwide shopping websites
    December 6, 2018

    https://news.softpedia.com/news/pay...sers-via-formjacking-redirection-524154.shtml
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.