Magecart Attacks Grow Rampant in September

guest · Nov 1, 2020

Gold seller JM Bullion hacked to steal customers' credit cards
November 1, 2020
https://www.bleepingcomputer.com/ne...llion-hacked-to-steal-customers-credit-cards/

Precious metal online retailer JM Bullion has disclosed a data breach after their site was hacked to include malicious scripts that stole customers' credit card information.
JM Bullion is an online retailer of gold, silver, copper, platinum, and palladium products, including coins and bullion.

The malicious scripts were present on the site between February 18th, 2020, and July 17th, 2020, and caused any submitted payment information to be sent to a remote server under the attacker's control.
This type of compromise is known as a MageCart attack and consists of hackers compromising a website to inject malicious JavaScript scripts into various web site sections.
Click to expand...

As part of this breach, attackers could steal customers' names, addresses, and payment card information, including the account number, expiration date, and security codes.
All customers who made purchases on JM Bullion's site between February 18th, 2020, to July 17th, 2020, should monitor their credit card statements for fraudulent activity.
Click to expand...

guest · Nov 11, 2020

Over 2800 e-Shops Running Outdated Magento Software Hit by Credit Card Hackers
November 11, 2020
https://thehackernews.com/2020/11/over-2800-e-shops-running-outdated.html

A wave of cyberattacks against retailers running the Magento 1.x e-commerce platform earlier this September has been attributed to one single group, according to the latest research.

"This group has carried out a large number of diverse Magecart attacks that often compromise large numbers of websites at once through supply chain attacks, such as the Adverline incident, or through the use of exploits such as in the September Magento 1 compromises," RiskIQ said in an analysis published today.
Collectively called Cardbleed, the attacks targeted at least 2,806 online storefronts running Magento 1.x, which reached end-of-life as of June 30, 2020.
Click to expand...

If anything, the attacks are yet another indication of threat actors continuing to innovate, playing with different ways of carrying out skimming, and obfuscating their code to evade detection, said RiskIQ threat researcher Jordan Herman.

"The prompting for this research was the widespread compromise of Magento 1, which went end-of-life this June, sites via an exploit," Herman said. "So the particular mitigation would be to upgrade to Magento 2, though the cost of upgrading might be prohibitive for smaller vendors."
Click to expand...

"There is also a company called Mage One that is continuing to support and patch Magento 1. They released a patch to mitigate the particular vulnerability exploited by the actor in late October. [...]" he added.
Click to expand...

Magecart Group 12: End of Life Magento Sites Infested with Ants and Cockroaches

guest · Nov 18, 2020

Heads up: A new strain of card-skimming Grelos malware is on the loose
Magecart variant has changed and you should be alert, warns RiskIQ
November 18, 2020
https://www.theregister.com/2020/11/18/magecart_grelos_research/

A new offshoot of the Grelos card-skimming malware - a common Magecart variant - is doing the rounds, according to infosec biz RiskIQ.

The latest strain described by RiskIQ contains "a rehash" of the original code first seen in 2015-16, consisting of a loader and a skimmer, "both of which are base64 encoded five times over."
A unique cookie linked to the Grelos strain gave researcher Jordan Herman the clue he needed to track it.

Spotted in the wild as part of the compromise of US-based Boom! Mobile earlier this year, the latest Grelos strain was linked to Fullz House, a hacking crew that combined the skills of two separate criminal gangs who respectively specialised in phishing and card skimming, as RiskIQ previously explained in a separate blog post.
Click to expand...

Different skimmer strains linked to Grelos have been "using the same infrastructure or other connections through WHOIS records and other malicious activities, such as phishing and malware during this investigation," wrote RiskIQ's Herman, who added that the Grelos strain appears to be linked to the oldest known Magecart operators, identified as Groups 1 and 2.
Click to expand...

RiskIQ: A New Grelos Skimmer Reflects the Depth and Murkiness of the Magecart Ecosystem

guest · Nov 21, 2020

mood said: ↑

Salesforce Data Breach Suit Cites California Privacy Law
February 4, 2020
https://news.bloomberglaw.com/priva...data-breach-suit-cites-california-privacy-law
Click to expand...

Hanna Andersson, Salesforce ink deal to settle CCPA data breach class action
November 20, 2020
https://today.westlaw.com/Document/I715743302b7e11ebb26bd3086ac74fc7/View/FullText.html

Hanna Andersson LLC and Salesforce.com Inc have reached a proposed agreement with plaintiffs to resolve class claims related to a 2019 data breach, according to a motion for preliminary approval of the settlement.

The litigation, composed of two consolidated cases against the children's apparel retailer and cloud technology services provider, was one of the early cases alleging a violation of the California Consumer Privacy Act, which took effect Jan. 1. Hanna has agreed to pay $400,000 and take corrective measures to resolve the claims, according to the unopposed motion filed Thursday in San Francisco federal court.
Salesforce doesn't appear to be contributing to the settlement fund.
Click to expand...

The litigation stems from Hanna Andersson's notification to customers and state attorneys general in January that an unauthorized third party had accessed information on its website for purchases made in a two-month period in 2019, potentially exposing customers' names, billing and payment card information, according to the complaint
Click to expand...

guest · Nov 30, 2020

Credit card skimmer fills fake PayPal forms with stolen order info
November 30, 2020
https://www.bleepingcomputer.com/ne...lls-fake-paypal-forms-with-stolen-order-info/

A newly discovered credit card skimmer uses an innovative technique to inject highly convincing PayPal iframes and hijack the checkout process on compromised online stores.

Payment card skimmers are JavaScript-based scripts that cybercrime gangs known as Magecart groups inject within the checkout pages of e-commerce sites after hacking them as part of web skimming (also known as e-skimming) attacks.
Stolen order info used to pre-fill malicious checkout iframes
This new tactic for stealing online shoppers' payment card information was discovered by Affable Kraut using data from Sansec, a security company focused on fighting digital skimming.
As he discovered when analyzing the web skimmer, the malicious script was hidden inside an image hosted on the compromised store's own server using steganography.
Click to expand...

When the victim will get redirected to the PayPal order page, the fact that it's already partially filled out will likely raise the odds that it will be convincing enough to successfully capture their payment data.

"It even passes along the items in the cart and the accurate Total, Taxes, and Shipping costs," as Kraut added.
Once the victim enters their payment information and hits the submit button, the skimmer will exfiltrate all of it to apptegmaker[.]com, a domain registered in October 2020 and connected to tawktalk[.]com (this domain was also used for data exfil by a Magecart group with similarly coded loaders).

After stealing the victims' payment data, the skimmer will click the order button behind the malicious iframe sending the victim back to the legitimate checkout process.
Click to expand...

guest · Dec 3, 2020

Credit card stealing malware hides in social media sharing icons
December 3, 2020
https://www.bleepingcomputer.com/ne...-malware-hides-in-social-media-sharing-icons/

Newly discovered web skimming malware is capable of hiding in plain sight to inject payment card skimmer scripts into compromised online stores.

The malware's creators use malicious payloads concealed as social media buttons that mimic high profile platforms such as Facebook, Twitter, and Instagram.
Novel security scanner evasion tactic
This new malware was discovered by researchers at Dutch cyber-security company Sansec that focuses on defending e-commerce websites from digital skimming (also known as Magecart) attacks.
Click to expand...

Even though this is not the first time that threat actors have used skimmers concealed within seemingly being images with the help of steganography, this malware is the first one that uses "a perfectly valid image."

"The result is that security scanners can no longer find malware just by testing for valid syntax," Sansec explained.
The summer test runs
Similar malware using this innovative loading technique was first spotted in the wild back in June 2020.
Those partially working payment skimmer samples might have been used as test runs for the fully functioning version discovered in mid-September Sansec said.
Click to expand...

Sansec: Payment skimmer hides in social media buttons

Researchers at Sansec have uncovered a novel technique to inject payment skimmers onto checkout pages. This new malware has two parts: a concealed payload and a decoder, of which the latter reads the payload and executes the concealed code.
While skimmers have added their malicious payload to benign files like images in the past, this is the first time that malicious code has been constructed as a perfectly valid image. The result is that security scanners can no longer find malware just by testing for valid syntax.
Click to expand...

Krusty · Dec 6, 2020

How stolen credit cards are sold on the dark web

Stolen credit cards and payment credentials are being sold on the dark web for a few measly dollars.

If you’ve ever wondered where your stolen credit card turns up, a cybersecurity firm is offering hard proof.

Your credit card data is typically stolen in two ways. One is after a data breach like the Capital One incident that affected 106 million customers. The other is e-skimming, where hackers inject JavaScript code into website payment processing pages in order to pilfer credit cards and account data from customers.

During the holiday season, cybercriminals turn to e-skimming, Greg Foss, Senior Cybersecurity Strategist at VMware Carbon Black, told Fox News.
Click to expand...

https://www.news.com.au/technology/...b/news-story/4361a4eb1a50f5d0ab0ad7edbb7f8906

“Magecart is one of the most prominent [criminal] groups behind this activity [to] siphon off sensitive card data,” Mr Foss said.

Recently, Magecart has been impersonating legitimate payment applications using homoglyph attacks – for instance, creating a website “g00gle.com” instead of google.com – which fools victims into visiting the malicious site, Mr Foss explained.

The endgame for cybercriminals is peddling stolen credit cards that go for an average rate of $10 to $20 per card on the dark web, according to Mr Foss. PayPal accounts sell for $2 to $10 per account, with accounts holding more money costing even more.

The stolen credit card data is typically offered in a shopping cart format, where the “buyer” can check off which credit cards they want to purchase based on a menu of available credentials.

Those credentials often include Social Security numbers and the date of birth. “While there are other services that specialise in the aggregation and resale of [social security number and date of birth] data, many carding forums also provide this information in conjunction with credit cards,” Mr Foss said.

“This information makes the credit cards all that more valuable and extends the use-cases for this data exponentially,” he added.
Click to expand...

guest · Dec 8, 2020

Credit card stealing malware bundles backdoor for easy reinstall
December 8, 2020
https://www.bleepingcomputer.com/ne...-malware-bundles-backdoor-for-easy-reinstall/

An almost impossible to remove malware set to automatically activate on Black Friday was deployed on multiple Magento-powered online stores by threat actors according to researchers at Dutch cyber-security company Sansec.

Threat actors behind these web skimming attacks (also known as Magecart) targeted and infiltrated online stores powered by Magento 2.2.3 up to 2.2.7 beginning with April 2020.
Credit card skimmer mimicked payment flow

"Over the last months, hackers have quietly added a subtle security flaw to over 50 large online stores, only to exploit them right before Black Friday," Sansec said.
Detailed information on each of the malware components used in these web skimming attacks is available in Sansec's report.
Click to expand...

Sansec: Persistent parasite in EOL Magento 2 stores wakes at Black Friday

In addition to the injected flaw, attackers used a hybrid skimming architecture, with front and back end malware working in tandem. The added obfuscation & safeguarding measures make this the most complex skimming operation Sansec has identified this year.
Click to expand...

guest · Dec 8, 2020

Payment Card Skimmer Group Using Raccoon Info-Stealer to Siphon Off Data
December 7, 2020
https://thehackernews.com/2020/12/payment-card-skimmer-group-using.html

A cybercrime group known for targeting e-commerce websites unleashed a "multi-stage malicious campaign" earlier this year designed with an intent to distribute information stealers and JavaScript-based payment skimmers.

In a new report published today and shared with The Hacker News, Singapore-based cybersecurity firm Group-IB attributed the operation to the same group that's been linked to a separate attack aimed at online merchants using password-stealing malware to infect their websites with FakeSecurity JavaScript-sniffers (JS-sniffers).
The ultimate goal of the attack, the researchers noted, was to steal payment and user data via several attack vectors and tools to deliver the malware.
Click to expand...

"Attackers sent links to fake pages that informed victims about a missing plugin required to display the document correctly," Group-IB researchers explained in an analysis of the cybercrime group's tactics last November. "If a user downloaded the plugin, their computer was infected with the password-stealing malware."

Along with the four stages described above, Group-IB also observed an interim phase between May to September 2020, during when as many as 20 online stores were infected with a modified JS-sniffer of the FakeSecurity family.
Interestingly, the infrastructure used to distribute the Vidar and Raccoon stealers shared similarities with those used to store the sniffer code and collect stolen bank card data, leading the researchers to link the two campaigns.
Click to expand...

The development is yet another sign that adversaries are stepping up their efforts to compromise online marketplaces to pilfer customer payment information, even as law enforcement agencies are working to tackle cybercrime.
Click to expand...

Group-IB: Massive malicious campaign by FakeSecurity JS-sniffer

In March 2019, Group-IB published its report titled "Crime without punishment: in-depth analysis of JS-sniffers", which analyzed 15 different families of JS-sniffers used to infect over 2,000 e-commerce websites.

In December 2018, Group-IB specialists detected a new JS-sniffer family called FakeSecurity. It was used by a cybercrime group targeting Magento-based websites. While attacking websites, attackers injected a link to a malicious code into the website's source code.
Click to expand...

guest · Dec 9, 2020

Hackers hide web skimmer inside a website's CSS files
December 9, 2020
https://www.zdnet.com/article/hackers-hide-web-skimmer-inside-a-websites-css-files/

Over the past two years, cybercrime groups have used quite an assortment of tricks to hide credit card stealing code (also known as web skimmers or Magecart scripts) inside various locations of an online store for the purpose of avoiding getting detected.
The latest of these odd places is, believe it or not, CSS files.
WEB SKIMMER GANG EXPERIMENTS WITH CSS
One of the recent additions to the CSS language was a feature that would allow it to load and run JavaScript code from within a CSS rule.
Willem de Groot, the founder of Dutch security firm Sanguine Security (SanSec), told ZDNet today that this CSS feature is now being abused by web skimmer gangs.
Click to expand...

De Groot says that at least one group is using malicious code added inside CSS files to load skimmers on online stores that record payment card data when users are completing checkout forms.

"It was [...] a fairly standard keystroke logger," de Groot told ZDNet when we asked him to describe the code he found today.
"However, the infrastructure has been in place since September and was previously used for several dozen more traditional attacks. This CSS disguise looks like a recent experiment."
Click to expand...

As ZDNet explained in a piece on Monday about another of SanSec's findings, the simplest way shoppers can protect themselves from web skimmer attacks is to use virtual cards designed for one-time payments.
Click to expand...

guest · Dec 18, 2020

Stealthy Magecart malware mistakenly leaks list of hacked stores
December 18, 2020
https://www.bleepingcomputer.com/ne...lware-mistakenly-leaks-list-of-hacked-stores/

A list of dozens of online stores hacked by a web skimming group was inadvertently leaked by a dropper used to deploy a stealthy remote access trojan (RAT) on compromised e-commerce sites.
Sleepy rats in online shop servers
Researchers at Sansec, a security company focused on protecting e-commerce stores from web skimming attacks, said that the malware was delivered in the form of a 64-bit ELF executable with the help of a PHP-based malware dropper.

Sansec hijacked the attackers' RAT dropper and found that it also contained a list of 41 compromised stores besides the usual malicious code used to parse deployment setups for several Magecart scripts.
Click to expand...

This might be explained by the fact that the dropper has been coded by someone who seems to have a lot less experience with PHP as it "uses shared memory blocks, which is rarely used in PHP but is much more common in C programs."
Sansec has also reached out to the online stores included in the Magecart malware dropper's code to let them know that their servers have been infiltrated.
Click to expand...

Sansec: eCommerce trojan accidentally leaks victims

Sansec discovered a clever remote access trojan (RAT) that has been hiding in the alleys of hacked eCommerce servers. Despite the advanced setup, perpetrators mistakenly left a list of victim stores in a deleted file, which unveils the depth of this hacking campaign. The RAT is used to gain illicit long-term access to eCommerce systems, in order to steal valuable customer data (aka Magecart).

To frustrate forensic analsyis, the RAT sleeps almost continuously. [...]
Click to expand...

guest · Dec 25, 2020

mood said: ↑

‘UltraRank’ cybercrime gang behind JS sniffer campaigns previously linked to Magecart August 27, 2020

Group-IB: Group with numerous faces: chronicle of UltraRank’s deceptive JS-sniffer campaigns
Click to expand...

'UltraRank' Targets More E-Commerce Sites
Group Uses JavaScript Sniffer to Steal Payment Card Data
December 23, 2020
https://www.inforisktoday.com/ultrarank-targets-more-e-commerce-sites-a-15657

A cybercriminal gang known as "UltraRank" has launched a new campaign, targeting at least a dozen e-commerce sites to steal payment card data using a JavaScript sniffer, says security firm Group-IB.

This new series of attacks, which began in November, uses a relatively new JavaScript-sniffer called SnifLite, according to Group-IB. The firm's researchers contacted all the companies affected, but as of Wednesday, eight of the targeted sites remained infected with the malicious JavaScript code, they say.

"We assume that the gang will continue the infections as part of this campaign, as their operations in the past followed the same pattern of infections distributed over time," says Viktor Okorokov, threat intelligence and attribution analyst at Group-IB.
Click to expand...

Group-IB: New attacks by UltraRank group

As part of UltraRank's new campaign, Group-IB Threat Intelligence and Attribution team discovered 12 eCommerce websites infected with their JavaScript-sniffer. Eight of them remain infected at the moment of publication. Group-IB has sent notifications to the infected websites.
This time the JS sniffer's code was obfuscated using Radix obfuscation.

During their most recent series of attacks UltraRank stored their malicious code on the website mimicking a legitimate Google Tag Manager domain.
Click to expand...

guest · Dec 28, 2020

Multi-platform card skimmer found on Shopify, BigCommerce stores
December 28, 2020
https://www.bleepingcomputer.com/ne...-skimmer-found-on-shopify-bigcommerce-stores/

A recently discovered multi-platform credit card skimmer can harvest payment info on compromised stores powered by Shopify, BigCommerce, Zencart, and Woocommerce.
Displays errors as distraction
This new skimmer (also known as a Magecart script) can also abuse hosted e-commerce systems such as Shopify and BigCommerce, as researchers at Dutch cyber-security company Sansec found, even though they do not provide support for custom checkout pages scripts.

It does that by displaying a fake payment page before the customers land on the real checkout form and using a keylogger to intercept payment and personal information.
Click to expand...

"To summarize: this campaign shows that platforms are no boundary to the profitable fraud of online skimming," Sansec added. "Wherever customers enter their payment details, they are at risk."
During the last few months, Sansec researchers have discovered several Magecart campaigns using innovative tactics for evading detection and gaining persistence on hacked stores.
Click to expand...

Sansec: Multi-platform skimmer hits Shopify, Bigcommerce and others

A new type of payment skimmer was found on a dozen stores hosted on Shopify, BigCommerce, Zencart and Woocommerce. Hosted platforms like BigCommerce and Shopify do not allow custom Javascript on checkout pages. This skimmer evades that by showing a fake payment form and recording customer keystrokes before they enter the actual checkout page.
Once the data is intercepted, the skimmer displays an error message and the customer is redirected to the real payment pag [...]
Click to expand...

guest · Jan 16, 2021

Magecart Groups Hide Behind 'Bulletproof' Hosting Service
Researchers Find Groups Hiding JavaScript Skimmers and Phishing Pages
January 16, 2021
https://www.databreachtoday.com/magecart-groups-hide-behind-bulletproof-hosting-service-a-15778

Several Magecart groups hide their JavaScript skimmers, phishing domains and other malicious tools behind a "bulletproof" hosting service called Media Land, according to a report from security firm RiskIQ.

During their investigation, the RiskIQ researchers found that thousands of domains used for JavaScript skimmers, phishing domains and other malicious infrastructure have been registered with Media Land since 2018 using at least two email addresses and other aliases, according to the report.
Click to expand...

Jordan Herman, a threat researcher at RiskIQ and one of the authors of the report, notes that bulletproof hosting services, along with other underground services, support a robust ecosystem that allows Magecart groups to thrive.

"This is just another part of the skimming ecosystem that includes carding shops, skimmer kits, sales of access to compromised sites, etc. ... There's a vibrant black market around skimming," Herman says.
Click to expand...

hawki · Mar 16, 2021

"Hackers hide credit card data from compromised stores in JPG file

Hackers have come up with a sneaky method to steal payment card data from compromised online stores that reduces the suspicious traffic footprint and helps them evade detection.

Instead of sending the card info to a server they control, hackers hide it in a JPG image and store it on the infected website...

Researchers at website security company Sucuri found the new exfiltration technique when investigating a compromised online shop running version 2 of the open-source Magento e-commerce platform...

This allowed the attackers to easily download the information as a JPG file without triggering any alarms in the process as it would look as if a visitor simply downloaded an image from the website..."

https://www.bleepingcomputer.com/ne...ard-data-from-compromised-stores-in-jpg-file/

guest · May 3, 2021

Magecart scammers aim at restaurants' online delivery systems
May 3, 2021
https://www.cyberscoop.com/magecart-hack-delivery-pandemic/

Cybercriminals are increasingly targeting third-party infrastructure that restaurants across the U.S. use to place online orders, private investigators have found.

The last six months have seen hacks of five online ordering platforms, exposing some 343,000 payment cards, threat intelligence firm Gemini Advisory said on April 29. With titles like MenuSifu and Food Dudes Delivery, the platforms may not be household names, but hundreds of restaurants use the platforms — and crooks know it.

“Attacks such as these are appealing because breaching the website of a single online ordering platform can compromise transactions at dozens or even hundreds of restaurants,” Gemini Advisory analysts wrote in a blog post.
Click to expand...

With the string of hacks of online ordering systems, Gemini Advisory analysts are urging the platforms to pay closer attention to security measures. In the meantime, because it’s lucrative and effective, “cybercriminals will almost certainly continue attacking these merchants,” Gemini Advisory concluded.
Click to expand...

guest · May 18, 2021

Magecart Goes Server-Side in Latest Tactics Changeup
May 17, 2021
https://threatpost.com/magecart-server-side-itactics-changeup/166242/

Magecart Group 12, known for skimming payment information from online shoppers, was fingered for last September’s gonzo attack on more than 2,000 e-Commerce sites, and now researchers have issued a report explaining how they did it, detailing a new technical approach. The skimmers are still “very active,” according to the analysis.

Magecart 12, the latest incarnation of the web skimmer group, continues to launch attacks with malware created to mimic a favicon, also known as a “favorite icon” or “shortcut icon.”

“The file named Magento.png attempts to pass itself as ‘image/png’ but does not have the proper .PNG format for a valid image file,” the report said. “The way it is injected in compromised sites is by replacing the legitimate shortcut icon tags with a path to the fake .PNG file.”
Click to expand...

But in this instance, the phony favicon is used to load a PHP web shell. The web shell is harder to detect and block, the report adds, because it injects the skimmer code on the server-side, rather than the client side.

“As such, a database blocking approach would not work here unless all compromised stores were blacklisted, which is a catch-22 situation,” the report said. “A more effective, but also more complex and prone to false positives approach, is to inspect the DOM in real time and detect when malicious code has been loaded.”
Click to expand...

guest · Jun 17, 2021

Egg free Cake Box suffer data breach exposing credit card numbers
June 17, 2021
https://www.bleepingcomputer.com/ne...fer-data-breach-exposing-credit-card-numbers/

Eggfree Cake Box has disclosed a data breach after threat actors hacked their website to stole credit card numbers.

Cake Box is a UK chain of stores selling fresh cream celebration cakes made without eggs. There are currently 164 Cake Box stores located throughout the United Kingdom.
In emails sent to customers this week, Cake Box disclosed that their website was hacked in 2020 to include malicious scripts that stole customer information, including credit cards, submitted to the site.
Click to expand...

"We immediately launched a thorough investigation of our systems in response and, with the help of experienced third-party security specialists, determined that an unauthorised third party had indeed recently gained access to the Cake Box website and placed certain malware on it", disclosed Cake Box in a data breach notification sent to customers.
Click to expand...

Likely a MageCart attack
Based on the description, this breach appears to be a MageCart attack.

MageCart attacks are when threat actors hack an eCommerce site and add malicious scripts to their payment confirmation pages.
Click to expand...

hawki · Jul 9, 2021

"Magecart Hackers Hide Stolen Credit Card Data Into Images for Evasive Exfiltration...

'One tactic that some Magecart actors employ is the dumping of swiped credit card details into image files on the server [to] avoid raising suspicion...These can later be downloaded using a simple GET request at a later date'..."

https://thehackernews.com/2021/07/m...News (The Hackers News - Cyber Security Blog)

guest · Jul 26, 2021

‘Savory Spice’ Breached and Customer Credit Card Details Compromised
July 26, 2021
https://www.technadu.com/savory-spice-breached-and-customer-credit-card-details-compromised/291622/

Online spices marketplace ‘Savory Spice’ has had a nasty Magecart infection that spanned over three years.

During that period, customers who bought products from the site had their names and full card details stolen.

The actors may have used these details to purchase items online or may have sold them to others on the dark web.

Click to expand...

‘Savory Spice’, the Denver-based online spices marketplace that ships across the United States is now circulating notices of a data breach to its customers, informing them of a dire security incident. As detailed in the letter, someone has gained access to the company’s computer network on April 5, 2018, and maintained their malicious presence until March 27, 2021.
Weirdly, even though the notice mentions October 8, 2020, as the date of realizing the intrusion, the investigations took until July 14, 2021, to complete, leaving the actors free to continue their data-scraping operation in the meantime.

The type of data and the duration of the compromise sounds like a Magecart attack with skimmers having been planted onto the checkout page of the ‘Savory Spice’ website. Even if the IT team of the firm realized the problem in October 2020 and tried to clean up the code, subsequent re-infections may have reintroduced the skimmers on the site.
Click to expand...

guest · Oct 22, 2021

SCUF Gaming store hacked to steal credit card info of 32,000 customers
October 22, 2021
https://www.bleepingcomputer.com/ne...o-steal-credit-card-info-of-32-000-customers/

SCUF Gaming International, a leading manufacturer of custom PC and console controllers, is notifying customers that its website was hacked in February to plant a malicious script used to steal their credit card information.
Over 32,000 customers impacted
SCUF Gaming customers were the victims of a web skimming (also known as e-Skimming, digital skimming, or Magecart) attack.

Threat actors inject JavaScript-based scripts known as credit card skimmers (aka Magecart scripts, payment card skimmers, or web skimmers) into compromised online stores which allow them to harvest and steal customers's payment and personal info.
Click to expand...

In this case, the malicious script was deployed on SCUF Gaming's online store after the attackers gained access to the company's backend on February 3rd using login credentials belonging to a third-party vendor.

Two weeks later, on February 18th, SCUF was alerted by its payment processor of unusual activity linked to credit cards used on its web store.
The payment skimmer was detected and removed one month later, on March 16th, following what the company calls "a rigorous investigation in partnership with third-party forensic specialists."

"Our investigation has determined that orders processed via PayPal were not compromised and that the incident was limited to payments or attempted payments via credit card between February 3rd and March 16th," SCUF Gaming says in breach notification letters sent to affected individuals.
Click to expand...

guest · Nov 4, 2021

Magecart Credit Card Skimmer Avoids VMs to Fly Under the Radar
November 4, 2021
https://threatpost.com/magecart-credit-card-skimmer-avoids-vms-to-fly-under-the-radar/175993/

A new Magecart threat actor is stealing people’s payment card info from their browsers using a digital skimmer that uses a unique form of evasion to bypass virtual machines (VM) so it targets only actual victims and not security researchers.

The Malwarebytes team discovered the new campaign, which adds an extra browser process that uses the WebGL JavaScript API to check a user’s machine to ensure it’s not running on a VM, researchers revealed in a blog post published Wednesday.

“By performing this in-browser check, the threat actor can exclude researchers and sandboxes and only allow real victims to be targeted by the skimmer,” Malwarebytes Head of Threat Intelligence Jérôme Segura wrote in the post.
Detecting VMs used by security researchers and sandboxing solutions that are set to pick up Magecart activity is “the most popular method” used to evade detection, Segura said.
Click to expand...

Specifically, the skimmer checks for the presence of the words swiftshader, llvmpipe and virtualbox because of the VMs different browsers use, he said. Google Chrome uses SwiftShader while Firefox relies on llvmpipe as its renderer fallback.

If the targeted machine passes the check, the skimmer then extracts personal data in a typical way for such campaigns, scraping a number of fields including the customer’s name, address, email and phone number as well as their credit-card data.
Click to expand...

Malwarebytes: Credit card skimmer evades Virtual Machines

Evasion and defenders
This is not surprising to see such evasion techniques being adopted by criminals, however it shows that as we get better at detecting and reporting attacks, threat actors also evolve their code eventually. This is a natural trade-off that we must expect.

In addition to code obfuscation, anti-debugger tricks and now anti-vm checks, defenders will have to spend more time to identify and protect against those attacks or at least come up with effective countermeasures.
Click to expand...

guest · Nov 15, 2021

10,000+ websites and apps are vulnerable to Magecart
November 15, 2021
https://www.helpnetsecurity.com/2021/11/15/websites-and-apps-vulnerable-to-magecart/

Some of the world’s largest companies across retail, banking, healthcare, energy and many other sectors, including Fortune 500, Global 500 and governments are failing to prevent Magecart attacks, Cyberpion research revealed.

Magecart is the common name for a style of cyber attack in which hackers compromise third party code (typically Javascript that runs in browsers) to steal, or scrape, information such as credit card data from web-applications (e.g. online checkout software) or websites that incorporate the code.
Click to expand...

The research analyzed more than 30,000 vulnerabilities over the last two years and found significant weaknesses in modern security platforms and processes to identify and mitigate exploits related to Magecart attacks.
Data skimming technique has become an unstoppable threat
Web skimming continues to be a real threat to online merchants and shoppers with attacks severely impacting organizations including British Airways and Ticketmaster in 2018, Forbes in 2019, plus local US government portals and messaging service Telegram 2020.

“Our conclusion from the analysis is that as of today, organizations fail to face Magecart threats and detect the vulnerabilities and exploits that hackers leverage to conduct these attacks,” said Cyberpion CEO Nethanel Gelernter.
Click to expand...

Magecart vulnerabilities still plaguing websites and apps

At least one of the top five enterprises in many verticals – retail, insurance, financial services, pharma, media, security and others – were found to be vulnerable or abused.

More than 1000 online shops are vulnerable, exposing their customers to skimming. Some of the most popular international newspapers were found to be vulnerable, often via their home page.

Some vulnerable or abused companies do use anti-Magecart solutions, but these could be bypassed.

Vendor infrastructure exposes many other connected organizations to Magecart, yet vendors often fail to inform them about it early enough so they could take preventative action to be taken. In one case, a leading online advertising network affected 15 global insurance brands alongside hundreds of other enterprises.

Click to expand...

Cyberpion: Cyberpion Research Reveals Magecart is Poised to Exploit World’s Biggest Brands

Over 10,000 websites and applications are vulnerable to Magecart, a digital supply chain attack used to steal login credentials, private information and credit card data without a trace
Data skimming technique has become an unstoppable threat
KIRKLAND, Wash. and TEL AVIV, Israel, November 10, 2021 – Cyberpion, a cybersecurity pioneer in external attack surface management (EASM), today presented research at Black Hat Europe 2021 revealing that some of the world’s largest companies across retail, banking, healthcare, energy and many other sectors, including Fortune 500, Global 500 and governments are failing to prevent Magecart attacks.
Click to expand...

guest · Nov 22, 2021

Ecommerce platforms (cough, Magento) need patching before Black Friday, warns UK's National Cyber Security Centre
November 22, 2021
https://www.theregister.com/2021/11/22/ncsc_magento_updates_black_friday_reminder/

If you run a small online business powered by the Magento ecommerce platform, Britain's National Cyber Security Centre (NCSC) is begging you to make sure it's fully patched ahead of Black Friday.

"Retailers are urged to ensure that Magento – and any other software they use – is up to date," said the GCHQ offshoot in a statement today, adding it had notified 4,151 online stores that their Magento installations were vulnerable to compromise by criminals.
"The majority of the online shops used for skimming identified by the NCSC had been compromised via a known vulnerability in Magento, a popular e-commerce platform," said the cybersecurity agency.
Click to expand...

Willem de Groot, MD of Sansec, told The Register that card-skimming is a real headache around this time of year.

"Every year," he lamented, "Sansec observes an uptick in online skimming incidents in the week before Black Friday. Since 2015, we have discovered more than 60,000 online stores with an injected payment skimmer."
Click to expand...

Attacks on Magento installations are so popular in the criminal underworld that they spawned an entire industry of card thieves loosely known as Magecart. Magecart gangs mostly target ecommerce platforms, no longer limiting themselves to the Adobe-owned software that proved so lucrative for them.

There's one more thing that everyone can do to protect themselves against card fraud during this weekend's US-inspired Black Friday/Cyber Monday shopping frenzy.

"Monitor your card statements, especially in the holiday season," warned Sansec's de Groot.
Click to expand...

NCSC: Guidance for retailers to prevent websites becoming Black Friday cyber traps

The NCSC encourages small online shops to protect their customers from cyber criminals over key shopping period.

National Cyber Security Centre notified over 4,000 small business sites whose customers' payment details were being stolen

The UK’s cyber experts reveal that hackers are exploiting a vulnerability in popular e-commerce software

SMEs urged to update software to avoid financial and reputational damage

Click to expand...

guest · Dec 6, 2021

Hackers plant card-stealing malware on website that sells baron and duke titles
November 29, 2021

A threat actor has hacked the website of the Principality of Sealand, a micronation in the North Sea, and planted malicious code on its web store, which the government is using to sell baron, count, duke, and other nobility titles.

Called a “web skimmer,” the malicious code allowed the hackers to collect user and payment card details for anyone who purchased products, such as nobility titles, from the country’s online store.
All transactions made on the site from October 12 have been intercepted by the hackers, Willem de Groot, founder of web security firm Sansec, told The Record in a phone call today.
Click to expand...

Hackers have taken control of the government site of Sealand, the North Sea micronation, since Oct 12th.

People buying Baron or Duke titles have likely been skimmed. Sorry, sirs! pic.twitter.com/bQvzbXQ21F
— gwillem (@gwillem) November 29, 2021
De Groot said the code was not functioning today due to an error but had been active since it was first planted on the Sealand website.
Click to expand...

Log in or Sign up

Magecart Attacks Grow Rampant in September

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Krusty Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

hawki Registered Member

guest Guest

guest Guest

guest Guest

hawki Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Magecart Attacks Grow Rampant in September

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Krusty Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

hawki Registered Member

guest Guest

guest Guest

guest Guest

hawki Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches