New Magecart Group Targets French Ad Agency

A new threat actor operating under the “Magecart” umbrella landed a malicious skimmer on hundreds of websites through a supply chain attack, security firms reveal.

Financially motivated, the Magecart actors place web-based skimmers on compromised websites and steal credit card information from users making purchases on those sites. Last year, the hackers hit high-profile targets, including Ticketmaster, British Airways, Newegg, Feedify, and Shopper Approved.

In a report published in November last year, RiskIQ detailed the activity of the hackers referred to as the “Magecart” attackers, revealing information on seven hacking groups operating under the umbrella.

Since then, not only did the malicious activity associated with the actors continue, but more hackers have adopted their tactics, RiskIQ notes in a new report.

In a recently observed campaign, a new actor employed a third-party supply chain attack to ensure their malicious code reaches a large number of sites. The employed tactic is similar to that of the previously documented Group 5.

Referred to as Magecart Group 12, the new actor compromised a content delivery network for advertisements and injected their code into a JavaScript library for retargeting advertising. This allowed their skimmer to be delivered to all websites that loaded scripts from the ad agency’s ad tag.

Previously focused on direct attacks, Group 12 built an infrastructure in September 2018, abusing Let’s Encrypt to obtain SSL certificates. The skimming backend was also installed then.

The hackers used a small snippet with a base64-encoded URL for the resource which is decoded at runtime and injected into the page, RiskIQ explains. The code adds a new script node to the DOM to load a script from the URL decoded in the snippet. The resource contains the obfuscated skimmer.

Group 12 engaged in such attacks into 2019 as well, but also managed to compromise the website of French advertising agency Adverline at the end of 2018, which allowed them to greatly expand the delivery of their skimmer code.

The code was found “loaded on 277 e-commerce websites providing ticketing, touring, and flight booking services as well as self-hosted shopping cart websites from prominent cosmetic, healthcare, and apparel brands,” Trend Micro, which discovered the skimmer in early January, says.

Trend Micro notified Adverline of the breach and the online advertising company has handled the incident and carried out remediation operations in relationship with the CERT La Poste.

The skimmer code for Group 12, RiskIQ explains, protects itself from deobfuscation and analysis by performing an integrity check on itself. The toolkit employs two obfuscated scripts, with each of them performing the self-integrity check.

The first script includes a fingerprinting routine to check if it runs on a mobile device and if the browser debugger is on (it constantly cleans the debugger console messages if so), to determine whether the browser session is from an actual user or not.

Packing the main skimming code, the second script first checks if it is executed on a shopping website by looking for specific strings (checkout, billing, and purchase, among others, including words in French and German).

The skimmer gathers payment and billing information from victims and uses the localstorage object of the visitor’s browser to store the harvested information.

“These attacks further demonstrate the importance of securing the infrastructures used to run websites, applications, or web applications, especially those that store and manage sensitive data. Regularly patch and update software; disable, restrict, or secure outdated components or third-party plugins; and strengthen credentials or authentication mechanisms,” Trend Micro concludes.

Related: Seven Hacking Groups Operate Under “Magecart” Umbrella, Analysis Shows

Related: Magecart Hackers Now Targeting Vulnerable Magento Extensions