Monday, December 5, 2022





It has been reported that the Bank of the West learned that their debit card tracking numbers and Personal Identification Numbers were jeopardized by skimmers installed in multiple ATMs. Reports show that although it seems as if Magecart attacks are less prevalent, they’re still present. Malwarebytes has found a new, covert campaign using the infrastructure of “a pretty wide network”.

They also refer to the JavaScript code injected into any site that has not taken preventative measures for such attacks. You can get access to websites, like third-party services, which will then extract debit and credit card information by injecting malicious JavaScript into websites.

Who has been impacted by Magecart?

Although Magecart mainly targets e-commerce websites, they breach other types of sites as well because they can steal data that may be sensitive or monetizable – entered online.

The cyber attack Magecart and Ticketmaster

Remember this attack, if not then we will reflect more details on this attack. Financial information was stolen due to a third-party website being compromised. Additional tickets were obtained by Magecart operatives who placed skimmers on Ticketmaster checkout pages. 800 websites were affected in total.

A British Airways website and mobile app had been breached, compromising 380,000 customers’ credit cards. The website called British Airways and also the phone application that was alongside compromising 378,000 credit cards of the customers. It was attributed to a hacker called Magecart using malicious software. Magecart operatives compromised British Airways by modifying the Javascript on their payment forms to steal customer data. They were careful not to disrupt the usability of the forms to avoid detection. The attackers knew that if you breached the BA website, you also could breach the BA app, and vice versa.

Researchers now believe the skimmer domain spotted in a Sansec report on June 9 to be malicious. Two days later, another researcher found a host that had been hacked and connected back to an e-commerce website. Researchers found a campaign in which hackers infected a skimmer that would detect virtual machines. There is no clear reason why the scripts were removed.

The connection between Magecart and Magento

Magecart is an amorphous, panchromatic cyber attack surface with the most dangerous vector being JavaScript. To avoid this, be aware of what you are running on your website and include cybersecurity in your business practices. Magecart is always connected to one program: Magento, which is one of the most popular third-party shopping software. Magecart groups often target people exploiting these programs, who can control an enormous part of e-commerce.

Learn about the techniques Magecart uses to monetize

Reshipping is the process of obtaining an item by fraudulently buying it online and then causing the package to be sent to an address that is different from the original one. RiskIQ’s research revealed how some actors in Magecart have invested a lot of time into this low-risk method and they have been able to generate a significant amount of money, enough to make them want to continue doing it.

RiskIQ announced that automated activity from hackers going through S3 bucket vulnerabilities found an increase in customer information—compromising over 18,000 different domains. RiskIQ pivoted and searched for Magecart activity. They found a domain related to this activity and the server for the domain was related to a reshipping company website falsely advertising as a freight/logistics provider. In one example, the proceeds are laundered via a more traditional method of money mules but instead of this being done through bank transfers, the funds are diverted into higher-priced goods which can be shipped across borders without attracting suspicion and sold for a hefty profit.

Malwarebytes researchers discovered that the novel Magecart skimmer domain identified by Sansec, as well as a suspected host determined by another security researcher, were both tied to a more widespread campaign. However, it was found that the skimmer had its VM code removed. Magecart’s server-side threat is possible, and if so, Malwarebytes may be missing these attacks.

There has been less talk about ‘Magecart’ recently. Marketing teams seem to be reusing the same breaches from years ago. But we don’t know if the landscape has changed regarding marketing threats. That’s why we rely on researchers who report website breaches and other hacking events. If they notice an issue, they’ll report it, which means we can prevent these hacks from happening.

The bottom line of Magecart

Magecart Attacks can be highly targeted and custom-tailored to work on a handful of sites. While Magecart attacks are decreasing, they are becoming more difficult to track due to their stealthy nature. Researchers found potential blindspots in servers when trying to identify the perpetrators, with both server-side and client-side mistakes occurring.

Anti-virus software can stop these cyberattacks. MageCart will use a vulnerability in the website or third-party dependencies and install malicious JavaScript code on the site. This code will harvest what a customer enters into the field for payment.