Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

New Magecart Group Targets French Ad Agency

A new threat actor operating under the “Magecart” umbrella landed a malicious skimmer on hundreds of websites through a supply chain attack, security firms reveal.

A new threat actor operating under the “Magecart” umbrella landed a malicious skimmer on hundreds of websites through a supply chain attack, security firms reveal.

Financially motivated, the Magecart actors place web-based skimmers on compromised websites and steal credit card information from users making purchases on those sites. Last year, the hackers hit high-profile targets, including Ticketmaster, British Airways, Newegg, Feedify, and Shopper Approved.

In a report published in November last year, RiskIQ detailed the activity of the hackers referred to as the “Magecart” attackers, revealing information on seven hacking groups operating under the umbrella.

Since then, not only did the malicious activity associated with the actors continue, but more hackers have adopted their tactics, RiskIQ notes in a new report.

In a recently observed campaign, a new actor employed a third-party supply chain attack to ensure their malicious code reaches a large number of sites. The employed tactic is similar to that of the previously documented Group 5.

Referred to as Magecart Group 12, the new actor compromised a content delivery network for advertisements and injected their code into a JavaScript library for retargeting advertising. This allowed their skimmer to be delivered to all websites that loaded scripts from the ad agency’s ad tag.

Previously focused on direct attacks, Group 12 built an infrastructure in September 2018, abusing Let’s Encrypt to obtain SSL certificates. The skimming backend was also installed then.

The hackers used a small snippet with a base64-encoded URL for the resource which is decoded at runtime and injected into the page, RiskIQ explains. The code adds a new script node to the DOM to load a script from the URL decoded in the snippet. The resource contains the obfuscated skimmer.

Group 12 engaged in such attacks into 2019 as well, but also managed to compromise the website of French advertising agency Adverline at the end of 2018, which allowed them to greatly expand the delivery of their skimmer code.

The code was found “loaded on 277 e-commerce websites providing ticketing, touring, and flight booking services as well as self-hosted shopping cart websites from prominent cosmetic, healthcare, and apparel brands,” Trend Micro, which discovered the skimmer in early January, says.

Trend Micro notified Adverline of the breach and the online advertising company has handled the incident and carried out remediation operations in relationship with the CERT La Poste.

The skimmer code for Group 12, RiskIQ explains, protects itself from deobfuscation and analysis by performing an integrity check on itself. The toolkit employs two obfuscated scripts, with each of them performing the self-integrity check.

The first script includes a fingerprinting routine to check if it runs on a mobile device and if the browser debugger is on (it constantly cleans the debugger console messages if so), to determine whether the browser session is from an actual user or not.

Packing the main skimming code, the second script first checks if it is executed on a shopping website by looking for specific strings (checkout, billing, and purchase, among others, including words in French and German).

The skimmer gathers payment and billing information from victims and uses the localstorage object of the visitor’s browser to store the harvested information.

“These attacks further demonstrate the importance of securing the infrastructures used to run websites, applications, or web applications, especially those that store and manage sensitive data. Regularly patch and update software; disable, restrict, or secure outdated components or third-party plugins; and strengthen credentials or authentication mechanisms,” Trend Micro concludes.

Related: Seven Hacking Groups Operate Under “Magecart” Umbrella, Analysis Shows

Related: Magecart Hackers Now Targeting Vulnerable Magento Extensions

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.