Magecart Malware Steals Credit Card Data from Legitimate Online Payment Forms

Traditional credit card skimmers are physical devices attached to or overlain on ATMs or other credit card terminals. These are still around and some, like the overlay skimmer below which was reported on by Brian Krebs, are quite sophisticated.

card skimmer

Once the criminals get your credit card data and your pin number through the skimmer, they can produce a card that can be used to clean out your bank account at, ironically, an ATM.

But skimmers have evolved from the analogue to the digital. Now, criminals can wait for you to fill out a legitimate online shopping payment form and then have the data sent directly to them. In other words, you believe you have had a normal online shopping experience on an https protected site, but, unbeknownst to you, someone, in addition to  the company you’re buying from, has received all of your personal information and credit card data. Here is a diagram from Symantec which shows the basic idea behind these attacks which are sometimes referred to as, formjacking.

formjacking

These attacks are very effective, and cybersecurity experts have been seeing them increase at a remarkable rate. Within the last few months alone, the Magecart threat group has gleaned the data from hundreds of thousands, perhaps even millions, of credit cards through attacks on Ticketmaster, British Airlines, and Newegg. There are, no doubt, other ecommerce sites that are currently leaking customer data without the site owners even knowing it, due to the fact that the attack vector is so well-disguised.

So how, you may rightly ask, is all of this possible? How can they take control of legitimate payment forms? Well, first of all, they would have to compromise an ecommerce website, which is not necessarily easy. They would have to get access to the site by getting the webmaster’s password or by tricking someone who has it, through a phishing email, to give it to them. The attackers could also find vulnerabilities in plug-ins and leverage them to get control of a site. In any event, once on the site, they could alter the code to make the site perform in the way they want it to.

The organization of such an attack, however, takes a lot of time and it does not come with a guarantee of success. Large sites are often well-protected. Ticketmaster, for example, was not attacked directly but by compromising a third party supplier, Inbenta; a company that designs, among other things, shopping cart code for various ecommerce sites. If Inbento had access to the Ticketmaster website, an attacker could use this access to alter the code on that site. Once the main Ticketmaster site was breached, the attackers could extend their attack to other points on its worldwide network, which, according to the RiskIQ report on this breach, they probably did.

However, there is an easier way to gain access to a variety of websites, especially if you speak Russian. This is an underground Russian website called, MagBo, that sells access to over 3000 compromised websites. The price varies with the importance of the site compromised.

magbo

You can see, from the graph supplied by Flashpoint, that the site specializes in selling access to ecommerce sites.

magbo graph

Since the site gives a menu to buyers on how much access they are buying and what vulnerabilities are available, potential attackers can choose which site best suits their hacking methods and goals. The Magecart attack group looks for sites that give them the ability to alter the code on the page that supplies the form that shoppers fill out to get their merchandise.

Without going into technical detail, the injected script would send the information from the form to a site that is made to look like it is connected to the breached site. In the Newegg breach, the information was sent to a site named neweggstats.com. This site was officially registered on August 13th in preparation for the attack. The group also purchased an SSL certificate for the site to make it look more valid (give it an https allocation). The actual attack began three days later and continued until September, 18th.

For those interested, the actual code for this attack is shown below.

magecart code

An important point to note occurs in the second line which shows that the code targeted both computers (mouseup) and mobile devices (touchend). Newegg has released no information as to how many customers were compromised, but since Newegg has an estimated 50 million visitors a month, if we assume only 2% were buyers (a modest estimate), it is not a stretch to assume that over a million customer credit card details were stolen.

Needless to say, if you visited Newegg during the mid-August to mid-September period, keep an eye on your credit card transactions or take other preventive action such as applying for a new credit card. For that matter, if you have had earlier dealings with Ticketmaster or British Airways, be sure to review all of your transactions. Symantec has noted a large increase in Magecart attacks on a variety of large and small ecommerce sites, so buying online has become a lot more risky. This site lists URLs that may be connected to Magecart, and there are a lot of them. As a shopper, you can be easily fooled because, unlike most scams, the problem is not with your computer or device but hidden on the ecommerce site itself. In addition, it can be so well-disguised that you will likely not see that anything is wrong. Your order will even go through. Unfortunately, a duplicate order will go to the attackers and they can then use your card information and personal information in whatever way they want. They can use it themselves or sell it on the deep web.

To summarize, there is little you, as a buyer, can do. The Magecart attack group continues to upgrade its attacks and makes each harder to detect than the one before. We are certain to hear of more of these attacks over the next few months as the attackers gear up for the biggest online shopping season of all, Christmas, though, if the past is any indication of the future, these attacks won’t be discovered until the beginning of next year.

About Steve Mierzejewski

Marketing consultant for InZero Systems, developer of the next generation in hardware-separated security, WorkPlay Technologies, TrustWall and Mobile bare-metal virtualization. I've worked in Poland, Japan, Korea, China, and Afghanistan. I'm a writer, technical editor, and an educator.
This entry was posted in Uncategorized and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s