It has been reported that the Bank of the West learned that their debit card tracking numbers and Personal Identification Numbers were jeopardized by skimmers installed in multiple ATMs. Reports show that although it seems as if Magecart attacks are less prevalent, they’re still present. Malwarebytes has found a new, covert campaign using the infrastructure of “a pretty wide network”.
Although Magecart mainly targets e-commerce websites, they breach other types of sites as well because they can steal data that may be sensitive or monetizable – entered online.
Remember this attack, if not then we will reflect more details on this attack. Financial information was stolen due to a third-party website being compromised. Additional tickets were obtained by Magecart operatives who placed skimmers on Ticketmaster checkout pages. 800 websites were affected in total.
Researchers now believe the skimmer domain spotted in a Sansec report on June 9 to be malicious. Two days later, another researcher found a host that had been hacked and connected back to an e-commerce website. Researchers found a campaign in which hackers infected a skimmer that would detect virtual machines. There is no clear reason why the scripts were removed.
Reshipping is the process of obtaining an item by fraudulently buying it online and then causing the package to be sent to an address that is different from the original one. RiskIQ’s research revealed how some actors in Magecart have invested a lot of time into this low-risk method and they have been able to generate a significant amount of money, enough to make them want to continue doing it.
RiskIQ announced that automated activity from hackers going through S3 bucket vulnerabilities found an increase in customer information—compromising over 18,000 different domains. RiskIQ pivoted and searched for Magecart activity. They found a domain related to this activity and the server for the domain was related to a reshipping company website falsely advertising as a freight/logistics provider. In one example, the proceeds are laundered via a more traditional method of money mules but instead of this being done through bank transfers, the funds are diverted into higher-priced goods which can be shipped across borders without attracting suspicion and sold for a hefty profit.
Malwarebytes researchers discovered that the novel Magecart skimmer domain identified by Sansec, as well as a suspected host determined by another security researcher, were both tied to a more widespread campaign. However, it was found that the skimmer had its VM code removed. Magecart’s server-side threat is possible, and if so, Malwarebytes may be missing these attacks.
There has been less talk about ‘Magecart’ recently. Marketing teams seem to be reusing the same breaches from years ago. But we don’t know if the landscape has changed regarding marketing threats. That’s why we rely on researchers who report website breaches and other hacking events. If they notice an issue, they’ll report it, which means we can prevent these hacks from happening.
Magecart Attacks can be highly targeted and custom-tailored to work on a handful of sites. While Magecart attacks are decreasing, they are becoming more difficult to track due to their stealthy nature. Researchers found potential blindspots in servers when trying to identify the perpetrators, with both server-side and client-side mistakes occurring.