Magecart started as the name given to a single criminal gang operating a software skimming attack targeting payment card data on web sites. The process proved so successful that other gangs began to use the same approach.
Magecart is now the generic term for the attack rather than the name of a gang. It is believed that there are a dozen or more gangs operating the Magecart style of attack — some of them being long-standing and known gangs.
A primary advantage of Magecart attacks over enterprise breach and card database theft is that it captures the relevant data unencrypted, and includes the CVV number. The stolen data is immediately usable for online bank fraud.
At the same time as Magecart has expanded, the practice for criminals to use legitimate online services to host their infrastructure has also grown. It is a form of hiding in plain sight that is easy to set up and move around, and inexpensive if not free. Criminal use of cloud services is mirroring the legitimate use of cloud, and is likely to continue, if not grow.
Researchers at Malwarebytes have already discovered examples of Magecart actors abusing GitHub to serve a web skimmer (April 2019), and a campaign injecting skimming code into AWS S3 buckets (June 2019). Now they have found what they describe as ‘a rash of skimmers’ on Heroku.
Heroku is a container based managed Platform-as-a-Service (PaaS) owned by Salesforce. It allows developers to deploy, manage and scale their apps without needing to maintain their own infrastructure, and offers a free to use starter service. “Threat actors, say the researchers, “are leveraging the service to host their skimmer infrastructure but also to collect stolen credit card data.” They are registering free accounts to host their skimming business.
The skimming software has three components: the core skimmer that is injected into merchant sites, detects the checkout URL and loads the next component; a malicious iFrame that overlays the payment form and harvests the bank card details; and an exfiltration mechanism that encodes the stolen data and sends back to Heroku.
The core skimmer monitors the current page and loads the iFrame when the URL contains the Base64 encoded string Y2hlY2tvdXQ= (checkout). The iFrame overlays the standard payment form. It appears identical because it uses the same CSS style sheet.
The captured data is then exfiltrated, and victims receive an error message: ‘Unexpected error. Please reload the page and try again.’ This allows the victims to continue with their genuine purchase without any indication of a problem or theft of their card details.
The Malwarebytes researchers found several skimmers on Heroku. All used the same naming convention for their script, and all became active within the past week — indicating either the same gang or a similar source for the code. They seemed to be targeting Cyber Monday and the end of year buying season.
Malwarebytes reported its findings to the Salesforce Abuse Operations team, and the skimmer accounts have already been taken down. The nature of using legitimate services and the advantage to the criminals is that the operation can easily be moved to an alternative service. It becomes another game of whack-a-mole between the researcher and the criminals.
Related: Magecart Attack on eCommerce Platform Hits Thousands of Online Shops
Related: MasterMana Campaign Combines Stealth, Free Services and Old Malware
Related: Attackers Hide in Plain Sight as Threat Hunting Lags: Report