Magecart Group 12 unleashes stealthy PHP skimmer against vulnerable Magento e-commerce sites

Server-side requests to malicious domain conceal malware from endpoint security tools

Novel credit card skimming malware that easily evades client-side detection has been deployed against e-commerce sites running unsupported versions of Magento, security researchers have found.

The campaign has been attributed to Magecart Group 12, since it uses infrastructure previously linked to the group and the new malware is disguised as a favicon – an image file containing a brand logo displayed on browser tabs.

The new strain, which has the file name ‘Magento.png’, gains a foothold on target websites via a PHP web shell, unlike similar favicon-imitating skimmers that hide malicious JavaScript code.

End of the line

Researchers from Malwarebytes Labs detected the malware on a number of websites running Magento 1, the latest version of which is still estimated to power nearly 53,000 e-commerce sites, almost 11 months after Adobe discontinued support for the release line.

Magecart 12 threat actors were also blamed for a wave of attacks in September 2020 that leveraged another innovative skimmer, dubbed ‘Ant and Cockroach’ by RiskIQ, and impacted approaching 3,000 domains running Magento 1.

BACKGROUND Magecart attacks: Cat-and-mouse game continues between cybercrooks and law enforcement

The prolific group has also been credited with the use of a decoy Cloudflare library and the covert installation of cryptocurrency miners on vulnerable websites.

Sneaking through server-side

Magecart-style attacks traditionally use web injections to deploy JavaScript code on Magento websites and exfiltrate payment card information from customers.

According to Malwarebytes’ latest research, the Magento.png attack uses PHP web shells called ‘Smilodon’ or ‘Megalodon’ to dynamically inject JavaScript skimming code into the target site, according to a Malwarebytes blog post published last week.

Requests to the malicious domain are done server-side, circumventing detection or blocking by client-side security tools.

Read more of the latest security research news from around the world

Jérôme Segura, lead malware threat intelligence analyst at Malwarebytes, said “domain/IP database approach” commonly deployed to thwart conventional client-side skimming attacks would not work against the new malware “unless all compromised stores were blacklisted, which is a catch-22 situation”.

An alternative approach, inspecting the DOM in real time and detecting when malicious code has been loaded, is “more effective, but also more complex and prone to false positives”, added the researcher.

Faulty PHP script

Magento.png “attempts to pass itself as ‘image/png’ but does not have the proper PNG format for a valid image file”, continued Segura.

Vulnerable sites are compromised “by replacing the legitimate shortcut icon tags with a path to the fake PNG file”.

However, Segura noted that “in its current implementation this PHP script won’t be loaded properly”.

Segura urged online merchants to keep their stores “up-to-date and hardened, not only to pass PCI standards but also to maintain the trust shoppers place in them”.

According to a scan of Magento websites performed by cybersecurity firm Foregenix in July 2020, a few days after vendor support was discontinued, 79.6% of malware-infected domains were running Magento 1.

The Daily Swig has put additional questions to Malwarebytes and we will update the story if and when we receive responses.

RELATED XSS in the wild: JavaScript-stuffed orders used to compromise Japanese e-commerce sites