In the last months it has been reported that 7,339 (and counting) individual e-commerce sites have been infested with the MagentoCore card skimmer malware in the last six months, making the malicious script one of the most successful payment card threats out there.
The infections are part of a single effort, all tied back to one well-resourced group with global reach. “Online skimming – your identity and card are stolen while you shop – has been around for a few years, but no campaign has been so prolific as the MagentoCore.net skimmer,” says Willem de Groot, an independent malware hunter.
“The group has turned [thousands]of individual stores into zombie money machines, to the benefit of their illustrious masters.”
De Groot also says that he suspects the Magecart group to be behind it – which is the same outfit that pulled off the Ticketmaster heist earlier in the year. However, attribution beyond the basics remains murky.
“Their collection server is registered in Moscow, but I couldn’t say anything about their location or nationality, unfortunately,” he says.
The campaign is global and ongoing: According to De Groot’s nightly scans, new stores are being hijacked at the alarming pace of 50 to 60 stores per day.
Further, the script appears to be rather persistent: The average recovery time is “a few weeks” he said, with at least 1,450 e-commerce sites hosting the MagentoCore parasite during the full six months of his analysis.
“The victim list contains multimillion dollar, publicly traded companies, which suggests the malware operators make a handsome profit. But the real victims are eventually the customers, who have their cards and identities stolen.”
The Magecart actors are targeting online stores running WooCommerce from WordPress and Magento software, and “the attack vector is, in almost all recent cases, brute-forcing the administrator password.” He said the adversaries are patient, automatically trying millions of common passwords until they find one that works, often over the course of a few months.
Attackers can also gain unauthorized access from a staff computer that’s infected with malware, or by hijacking an authorised session using a vulnerability in the content management system (CMS).
“That will periodically download malicious code, and, after running, delete itself, so no traces are left,” de Groot said.