Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Magecart Attack Hits ‘Shopper Approved’

Magecart, the web-based card skimmer campaign that targets popular e-commerce websites, has hit Shopper Approved, an organization that provides rating seals for online stores.

Magecart, the web-based card skimmer campaign that targets popular e-commerce websites, has hit Shopper Approved, an organization that provides rating seals for online stores.

The first Magecart attacks were observed a couple of years ago, and they continue to be active. Earlier this year, the cybercriminals behind the operation hit several high profile targets, including British Airways, Ticketmaster, and Newegg.

The hackers also targeted cloud service provider Feedify, which resulted in the potential compromise of hundreds of e-commerce websites.

Now, RiskIQ, the company that has been tracking Magecart since 2015, reveals that the attack on Shopper Approved too was an attempt to skim payment information from multiple online stores at once.

The compromise was first observed on September 15, when RiskIQ received an incident notification regarding Magecart. The attackers had replaced the normal certificate.js file for Shopper Approved with one that included their skimmer.

The attackers apparently replaced the file twice within a 15 minutes window, because they forgot to obfuscate their skimmer at first, which allowed the RiskIQ security researchers to have a look at the deobfuscated code.

The researchers also discovered that the skimmer used the same drop server as the script used in the Feedify attack earlier this year.

Shopper Approved removed the malicious code on September 17, and also launched an internal investigation to find out how the compromise happened and who was affected.

Advertisement. Scroll to continue reading.

“Fortunately, we were able to quickly detect and secure the code related to the incident. We also put additional security measures in place to help ensure that this doesn’t happen again,” Scott Brandley, co-founder of Shopper Approved, says in a notice on their website.

“After a thorough investigation, we were able to determine that only a very small percentage of our clients were involved, and we have already reached out to those clients directly in an effort to help them remediate any issues,” the notice reads.

RiskIQ too notes that only a small number of clients were impacted, despite the fact that Shopper Approved is active on thousands of websites.

Mitigating factors, the security researchers note, include the fact that prominent shopping carts are actively blocking third-party scripts from being allowed to display on checkout pages and that most Shopper Approved clients did not have the compromised script on their actual checkout pages.

Moreover, the skimmer code was designed to only look for checkout pages with specific keywords in the URL. Thus, the script did not impact pages that did not include those keywords.

“Magecart groups are carrying out a full-scale assault on e-commerce and show zero signs of stopping. […] Now, Magecart operatives have learned to tune the CDNs they compromise to ensure that the only sites they hit are online stores. To achieve their goals, they will go after any analytics company, CDN, or any service supplying functionality to e-commerce websites,” RiskIQ concludes.

Related: Card Data-Scraping Magecart Code Found on Newegg

Related: MageCart Attackers Compromise Cloud Service Firm Feedify

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.