Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Magecart Attack Hits ‘Shopper Approved’

Magecart, the web-based card skimmer campaign that targets popular e-commerce websites, has hit Shopper Approved, an organization that provides rating seals for online stores.

Magecart, the web-based card skimmer campaign that targets popular e-commerce websites, has hit Shopper Approved, an organization that provides rating seals for online stores.

The first Magecart attacks were observed a couple of years ago, and they continue to be active. Earlier this year, the cybercriminals behind the operation hit several high profile targets, including British Airways, Ticketmaster, and Newegg.

The hackers also targeted cloud service provider Feedify, which resulted in the potential compromise of hundreds of e-commerce websites.

Now, RiskIQ, the company that has been tracking Magecart since 2015, reveals that the attack on Shopper Approved too was an attempt to skim payment information from multiple online stores at once.

The compromise was first observed on September 15, when RiskIQ received an incident notification regarding Magecart. The attackers had replaced the normal certificate.js file for Shopper Approved with one that included their skimmer.

The attackers apparently replaced the file twice within a 15 minutes window, because they forgot to obfuscate their skimmer at first, which allowed the RiskIQ security researchers to have a look at the deobfuscated code.

The researchers also discovered that the skimmer used the same drop server as the script used in the Feedify attack earlier this year.

Shopper Approved removed the malicious code on September 17, and also launched an internal investigation to find out how the compromise happened and who was affected.

“Fortunately, we were able to quickly detect and secure the code related to the incident. We also put additional security measures in place to help ensure that this doesn’t happen again,” Scott Brandley, co-founder of Shopper Approved, says in a notice on their website.

“After a thorough investigation, we were able to determine that only a very small percentage of our clients were involved, and we have already reached out to those clients directly in an effort to help them remediate any issues,” the notice reads.

RiskIQ too notes that only a small number of clients were impacted, despite the fact that Shopper Approved is active on thousands of websites.

Mitigating factors, the security researchers note, include the fact that prominent shopping carts are actively blocking third-party scripts from being allowed to display on checkout pages and that most Shopper Approved clients did not have the compromised script on their actual checkout pages.

Moreover, the skimmer code was designed to only look for checkout pages with specific keywords in the URL. Thus, the script did not impact pages that did not include those keywords.

“Magecart groups are carrying out a full-scale assault on e-commerce and show zero signs of stopping. […] Now, Magecart operatives have learned to tune the CDNs they compromise to ensure that the only sites they hit are online stores. To achieve their goals, they will go after any analytics company, CDN, or any service supplying functionality to e-commerce websites,” RiskIQ concludes.

Related: Card Data-Scraping Magecart Code Found on Newegg

Related: MageCart Attackers Compromise Cloud Service Firm Feedify

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.