Magecart attacks are still around. And they are becoming more stealthy

Magecart attacks are decreasing in number but are becoming more stealthy, with researchers highlighting potential server-side blindspots in tracking them.

It's not too often you hear about Magecart attacks. In the past few years, cybersecurity incidents that hit the headlines tended to involve attacks on core utilities and critical services, state-sponsored campaigns, ransomware, massive data breaches, and disruption on a broader scale than the issues that Magecart victims today often experience.

However, this doesn't mean that the problem has gone away, and we shouldn't forget that it's not only SMBs at risk: big brands have fallen prey to this type of cyberattack in the past, including British Airways, Newegg, and Ticketmaster.

SEE: Ransomware attacks: This is the data that cyber criminals really want to steal

Magecart describes cyberattacks that home in on the e-commerce capabilities of a website. Also known as card-skimming attacks, threat actors will often exploit a vulnerability in the backend content management system of a website or third-party dependencies and covertly implant malicious JavaScript code.

This code, embedded in the payment section of a website, will then harvest any card details put in by a customer and send them to an attacker-controlled server.

On June 20, Malwarebytes researcher Jérôme Segura said in a blog post that while Magecart attack rates appear to have diminished, recent reports suggest the market for stolen credit card information is still considered worthwhile – and a new campaign has shown that some operations still operate a "pretty wide infrastructure."

A Sansec report posted on June 9 revealed a new skimmer domain. On June 12, another researcher tweeted about a host, suspected to be malicious, and its connection to a hacked e-commerce store. This was then confirmed by another researcher.

Malwarebytes has investigated the reports and, based on the same autonomous system number used in both cases, the domains have been connected to a larger campaign.

The cybersecurity researchers combed back through their records and linked the recent Magecart activity to a campaign back in 2021, in which a skimmer was hosted that was able to detect the use of virtual machines (VMs).

While the reason is unclear, the VM code has since been removed from the skimmer. In addition, the new malware has different naming schemes. However, there were enough clues to point Malwarebytes toward a range of URLs, some of which were malicious. 

This new campaign's activity is suspected of going back to at least May 2020.

SEE: Why cloud security matters and why you can't ignore it

A challenge in tracking the current trajectory of Magecart attacks, however, is an ongoing disparity between a lack of visibility server-side and more transparent client-side scanning tools.

"If the Magecart threat actors decided to switch their operations exclusively server-side then the majority of companies, including ours, would lose visibility overnight," Segura commented. "This is why we often look up to researchers that work the website cleanups. If something happens, these guys would likely notice it. For now, we can say that Magecart client-side attacks are still around and that we could easily be missing them if we rely on automated crawlers and sandboxes, at least if we don't make them more robust."

Last year, Cloudflare launched a cybersecurity offering designed to tackle Magecart-style attacks. Cloudflare's Page Shield, a client-side solution, now features Script Monitor, which checks third-party JavaScript dependencies and records any changes made to the code over time. This can flag organizations to any malicious additions added to their e-commerce services. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0