Summer of Magecart – Security Boulevard

As Summer ‘21 comes to an end, let’s take a look at some victims of these Magecart or Magecart-style attacks and learn how to prepare for the holiday shopping season that is rapidly approaching. According to research group Gemini Advisory, at least 10 client-side attacks took place in just June, July, and August. These attacks, while running on various sites, managed to skim approximately 38,000 payment cards. 

June ‘21

Looking at June of 2021, we find four notable client-side attacks on a variety of ecommerce sites. These attacks, while small in size, show that client-side vulnerabilities are being exploited wherever they are found. The sites known are below:

July ‘21

In July of 2021, we know of three attack discoveries and disclosures. They are listed below.

One of which, Savory Spice, was active for three years before investigations were completed. According to the breach notification letter, the attack was active from April 2018 until March 2021. More troubling than the three-year attack time frame is that in October 2020 the company learned of the Magecart attack but took over five months to remedy the issue (March 2021) and another three months to complete the investigation (July 2021). This timeline, if anything, proves that relying on detection tools, scanning tools, or other non-preventative measures may give years of life to an attack that can be prevented with the right solution.

August ‘ 21

The month of August has seen a variety of attacks from your standard Magecart skimming, to scripts which mine cryptocurrency, to pre-packaged scripts bought on the darkweb. Below are the four attacks currently disclosed in August.

Focusing on the Coinhive script

This is a malicious mining script found most recently on AffiniTweet and uses the client’s machine to mine Monero coins. Monero is a crypto currency which uses untraceable and un-trackable transactions on its blockchain. Krebs-on-Security has this to say about Coinhive “…Coinhive’s code frequently locks up a user’s browser and drains the device’s battery as it continues to mine Monero for as long a [sic] visitor is browsing the site.” This service may or may not be included legitimately in a website’s code and if served legitimately but without notice, Coinhive code would be used for cyrptojacking activity.

Billar

The next attack in August to pay attention to is from Cornhole Antics. As of this writing, this site is still infected with a pre-packaged Magecart attack authored by “Billar” and sold on the darkweb for $3000. This attack package includes:

  • A unique way of receiving, implementing, and executing malware code
  • Cross-browser obfuscated data transfer
  • MaxMind GeoIP integration
  • An admin panel that possesses enhanced security to defeat brute-force and DDoS attacks
  • 24/7 support and flexibility for any customers’ needs

The pre-packaged attack is one which uses the advanced technique of hiding code in an image. Specifically the favicon. This technique is known and can even be blocked by antivirus software such as Norton.

In this Summer of Magecart both new and old techniques have made themselves available to attackers looking to pocket some quick coin both physical and digital. With around 38,000 cards known to be compromised by attacks disclosed this summer, over $300,000 worth of payment card information is available on the dark web.

Solutions which only detect and scan for these attacks cost your business money, time, and brand damage. Source Defense’s real-time prevention technology stops these attacks from succeeding, allowing your business to stay on track and on target. Click here for a demo of the Source Defense solution in hopes that we soon see the “Fall” of Magecart.

The post Summer of Magecart appeared first on Source Defense.

*** This is a Security Bloggers Network syndicated blog from Blog – Source Defense authored by Randy Paszek. Read the original post at: https://sourcedefense.com/resources/summer-of-magecart/