Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

MageCart Attackers Compromise Cloud Service Firm Feedify

Hundreds of e-commerce Sites Impacted by MageCart Compromise of Cloud Service Provider

Hundreds of e-commerce Sites Impacted by MageCart Compromise of Cloud Service Provider

Payment card data from customers of hundreds of e-commerce websites may have been stolen after the MageCart threat actors managed to compromise customer engagement service Feedify. 

Feedify, which claims to have over 4,000 customers, provides customers with various tools to target users based on their behavior, along with real-time analytics, reports, and push notifications. 

The infection was possible because Feedify requires customers to add a JavaScript script to their websites to use the service. The script loads various resources from Feedify’s servers, including a compromised library named “feedbackembad-min-1.0.js,” which is used by hundreds of sites.

This means that all of the users who, when loading the website of a Feedify customer, also loaded the compromised feedback library, might have had their personal information stolen by the malicious MageCart code.

Tracked since 2015, MageCart has been targeting e-commerce sites with web-based card skimmers – malicious code that steals payment card and other sensitive information provided by the users. The actors have hit a large number of businesses, including Ticketmaster and British Airways. 

Now, researchers have discovered that the actors managed to compromise Feedify and that they injected their malicious code into a library the Feedify script served to customers’ websites. Thus, all those who visited the impacted sites would load the malicious code in their browsers. 

On Wednesday, RiskIQ researcher Yonathan Klijnsma confirmed not only that Feedify was compromised, but also that the attackers might have had access to the service’s servers for nearly a month. 

 

 

 

Feedify apparently removed the malicious code after a security researcher alerted them on Tuesday, but it didn’t take long for the attackers to re-infect the script, revealing that the actors still had access to the company’s servers. 

As previous reporting on MageCart underlined, the attackers appear to have broad access into the compromised infrastructure and are not shy to re-inject their malicious code if it gets removed. In one instance, they even threatened the victim, claiming they would encrypt all of their resources if the malicious code is removed again. 

At the end of August, security researcher Willem de Groot revealed that the attackers might have planted their credit card data-scrapping code onto over 7000 websites. The skimmers appeared to react fast to blocking attempts and were compromising tens of new sites per day, he said. 

SecurityWeek contacted Feedify for a statement on the incident but a company’s spokesperson wasn’t immediately available for comment. 

Related: British Airways, Another Victim of Ongoing Magecart Attacks

Related: Ticketmaster Breach: Tip of the Iceberg in Major Ongoing Magecart Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.