Hunting Magecart with URLscan.io
Magecart — originally the name applied to a single criminal gang but now the umbrella term for a JavaScript-based web skimming attack — has emerged as a major threat to the security of payment card details. Once the skimmer code has been inserted into the payment function of a website, its operation can be silent and efficient, with neither the website operator nor the consumer victim knowing that plaintext card details have been stolen.
Content Security Policy (CSP, which controls the resources that are allowed to load) and Subresource Integrity (SRI, which verifies the integrity of delivered resources) are useful defenses against Magecart attacks; but are not considered to be foolproof and may be beyond the reach of small retailers. The result is the buying consumer has no way of knowing whether a favored online retailer has been compromised or not.
Trustwave has now published a how-to guide where anyone — consumers or small retailers — can check for the presence of Magecart using the free URLscan.io service. It is not the idea that is new, but the guide. ‘Jake’ started a Twitter thread titled ‘Magecart Hunting Thread’ on December 3, 2019: “This is a thread about how to hunt and find #Magecart infected sites using @URLscan.” The Twitter thread is well-suited to tech-savvy threat hunters; the Trustwave blog provides step-by-step instructions for almost anyone.
URLscan provides an automated scan and analysis of websites via standard browsing. It records and displays the activity of the page, including the domains and IP addresses contacted, and the resources — including scripts — requested from those domains. While it offers professional commercial services, it also provides a free-to-use Public Scan of specified URLs.
Trustwave’s approach is to enter the retailer’s URL into URLscan and run a public scan. At the bottom of the scan is a section titled Domain & IP information, which are those domains that have performed requests on the site. The first task is to look for anything that looks odd. In Trustwave’s example the majority of requests have come from a single source, with two more coming from Google and Facebook. This could be considered normal behavior. The last entry, however, stands out. It could be anything, says Trustwave, “an externally loaded ad or resource, but we’ll need to dig deeper to find out.”
Clicking the HTTP option at the top of the URLscan page shows that the source of this entry is scriptvault.org/src, located in France — but, of course, it could still be anything. To the right of the HTTP are a series of sub-options. One is labeled ‘Script’. Since Magecart is a JavaScript attack, this is the one to click. This provides access to the scripts used in the exchange between the website and the source via a new ‘Show response’ option.
In the Trustwave example, all but one of the scripts provided come from a single IP address. The odd one out is our suspect site in France. “In normal circumstances,” says Trustwave, “this script file would be loaded from the same domain as all the other script files. This is a big red flag.”
The ‘Show response’ option will display the script itself. It is an obfuscated Magecart script — and the presence of obfuscation in what should be a legitimate script is a huge clue.
Trustwave’s next step is to see if the payment script is also falsified. Here the relevant script is ccard.js, and the same process displays a known skimmer called Inter — in this instance not obfuscated. “As further evidence that this script is malicious,” says Trustwave, “we can look into the ‘Gate’ field which contains the exfiltration URL.”
This is specified as 93 187 129 249. A subsequent WHOIS lookup says that this IP is registered in Hong Kong, providing strong evidence that card payment details are being scraped and sent to a location in the far east.
While skimming domains are regularly taken down by the authorities, Trustwave fears that this is just a game of whack-a-mole — new domains rapidly get created. “The only reliable way of preventing Magecart,” it says, “is to detect, fix, and harden the security of websites.” The process described in Trustwave’s guide will help consumers (and hunters) to detect infected websites and tell them not to provide any payment details. If the infection is also reported to the website, the website can take the necessary steps to first remove the skimmer, and then harden the site.
Related: Magecart Skimmers Found on Salesforce’s Heroku Platform
Related: Magecart Hackers Target Mobile Users of Hotel Websites
Related: Magecart Attack on eCommerce Platform Hits Thousands of Online Shops
Related: Historical Breadcrumbs Link Magecart 5 to Carbanak Group