Magecart Monthly: Halloween Special

October brings Halloween and National Cybersecurity Awareness Month, however, it has also been one of the scariest months for Magecart attack discoveries! Here’s the latest news on Magecart and other website attacks, with insights from our own Security Researcher!

Latest attacks:

• Sesame Street and Volusion Customers
• Umbro Brasil
• Mission Health
• P&G’s First Aid Beauty
• Sixth June
• American Cancer Society
• Halloween Special

Sesame Street

On October 8th, Bleeping Computer revealed that hackers had compromised Volusion – an ecommerce shopping cart provider. As many as 6,600 websites may have been affected, including the popular Sesame Street website. Some websites were compromised as early as September 12th. The number of consumers affected is so far unknown, however, Medium explains; “Supposedly, shoppers have spent more than $28 billion in transactions and placed over 185 million orders on Volusion stores.”

Looking at the Sesame Street merchandise store, sesamestreetlivestore.com, we can see some unusual code appeared: ‘resources.js’. This file was loaded from storage.googleapis.com in the bucket named ‘volusionapi’. 

This was an advanced attack with the attacker naming the files with a legitimate description from an API that handles cookies. Investigating the script it is siphoning credit card information to another domain. The domain is also disguised to look like a legitimate analytics domain, however, a whois check shows the domain was registered on September 7th. On October 8th, Volusion confirmed via Twitter that they have now fixed the vulnerability on their site, although no further details have been confirmed. 

Umbro Brasil

Umbro Brasil appear to have been hacked not once, not twice but three times in October. 11 months ago the popular sportswear brand were first hacked with two web-skimmers. The second skimmer, thought to be associated with Magecart Group 9, was sabotaging the customer’s details which the first skimmer was stealing, replacing the last card number with a random digit, and stealing the actual payment details themselves. 

Fast-forward to October 15th and RapidSpike’s Security Researcher discovered two new website skimmers. These were removed a few days later. However, on October 21st new malicious code appeared. The hosts used (fileskeeper[.]org and mageento[.]com) are already known by RapidSpike Magecart Detection. 

RapidSpike’s Security Researcher explains; “the malicious scripts use the JavaScript function “atob”, which just decodes a base-64 encoded string. The opposite of the “btoa” function. So if you run btoa(“checkout”) you get “Y2hlY2tvdXQ=”. Then if you run that back through atob(“Y2hlY2tvdXQ=”) you get “checkout” again. The base-64 encoded string of “checkout” seems very popular in these attacks, it’s added to a condition to check the customer is on the “checkout” page before loading the script – there’s no point loading anything and raising suspicion.” The code has now been removed from the site, with no comment from the company.

Mission Health

On October 16th, ABC WLOS reported a Magecart attack on the health-care provider Mission Health, which had lasted over 3 years. Mission Health is based in North Carolina and also offer health-related products on their online store, which is where the Magecart attack occurred. 

Mission Health announced their site had been infected with malicious code from March 2016 until June 2019. In a statement mailed to affected customers, Mission Health stated: “Mission Health takes the privacy and security of information very seriously. Regrettably, we recently identified and addressed a security incident that may have involved some of the information consumers provided when making purchases on the Mission Health eCommerce website, either at store.mission-health.org or shopmissionhealth.org.” 

They go on to say “The impacted website was not part of our primary missionhealth.org site and has been taken offline and is being completely rebuilt.” No details about the code have been released or the number of customers affected. This is one of many health care-related data breaches discovered in 2019, others include; US Medical Collection company, AMCA whose data breach affected over 11.9m Quest Diagnostics and Labcorp patients.

P&G’s First Aid Beauty

Health and consumer mega-brand Procter and Gamble (P&G) have had a 5-month long Magecart attack on one of their brands, First Aid Beauty. Willem de Groot discovered the malicious script present on the website since May 5th. Despite contacting them, a week later he still had not received a reply from them and the malicious script was still active. It is not yet known how many customers have been affected by the malicious code – however, the site has approximately 100,000 monthly visitors in the past six months. 

Hacked: @ProcterGamble's https://t.co/qz62iHDazn has had a payment skimmer since May 5th. Fairly advanced: malware does not activate for non-US visitors, or if you run Linux (ie security researchers). pic.twitter.com/HAc7UunK5n

— gwillem (@gwillem) October 25, 2019

Procter & Gamble returned a request for comments from Bleeping Computer on October 25th, stating: “Consumer trust is fundamental to us, and we take data privacy very seriously. As soon as we learned about the compromise of the First Aid Beauty site, we moved quickly to take the site down and minimize the impact to our consumers. We are currently investigating the source of the malware and working to identify and notify those consumers who might have been impacted to ensure we provide them the necessary support.”

RapidSpike’s Security Researcher explains; “Very often Security Researchers do not receive a reply from the company they reach out to, (or even worse have the police called on them!) There are some misunderstandings when it comes to these types of reports and the intentions of those reporting the attack. If a vulnerability has been brought to your attention it is always worth investigating to ensure customers can safely shop on your site.”

Sixth June

On October 28th, RapidSpike’s Security Researcher revealed that French fashion brand Sixth June had a skimmer on their website. The brand have 400k social followers, are featured on ASOS and have been seen on celebrities including Khloe Kardashian. 

https://twitter.com/jknsCo/status/1188770129217314816

The skimmer was discovered on October 23rd but could have been present before this date. The specific skimmer used has also been discovered during a wider investigation and is apparent on at least another 80 websites. After reporting the attack to the company the previous week, there was no reply and the malicious code was still present. 

Upon customers checking out, the skimmer jumps into action. JavaScript code with the name ‘apiV3.js’ loads from ‘mogento[.]info’, (imitating the legitimate Magento domain), the encrypted payload is then sent via a POST to ‘mogento[.]info/images/visa-mastercard-amex_0.png’. The malicious component is hidden in a fake Google Tag Manager snippet. 

Not only were the attackers stealing financial information but other personal information was stolen included; account login information, email address, address details and phone numbers.

Finally, on October 30th the skimming code had been removed. The number of customers affected is unknown however, Bleeping Computer report the site has approximately 70,000 monthly visitors in September alone. The company are yet to comment on the incident.

American Cancer Society

The final reported Magecart attack of the month was on the American Cancer Society website. On 28th October, TechCrunch reported the site as the latest victim of credit card-stealing malware. Willem de Groot made the attack discovery which used a similar skimming method as the Sixth June hack. 

The code was disguised behind legitimate Google Tag Manager code. Upon customers checking out, the code searches for ‘checkout’ and then loads the actual skimming code from ‘thatispersonal.com/assets/cancer.js’, hosted in Russia. The code was injected into the store around the same time as the Sixth June hack. The skimmer was discovered on October 24th and was removed the following day. 

Halloween Special

Investigating Magecart attacks our Security Researcher came across a very seasonal attack. A Halloween site has been compromised to be used as a third-party site to host exfiltration script from more than 600 other hacked websites. The 600+ websites have been compromised with a skimming script, stealing card payment data. This is an active attack, therefore it is unknown how many individuals are affected. 

RapidSpike security researchers have taken the time to investigate all Magecart attacks mentioned. We can confidently say our Magecart Detection would have detected every attack. 

Other Security News:

• Thousands given green light to make compensation claim over BA data breach
• Cyber-Attacks Are Biggest Business Risk in Europe and US
• Magecart Group 5 Linked to Carbanak Gang
• Hackers hover near online shopping carts, too. It’s called e-skimming
• FBI Warns Govt Agencies, SMBs to Defend Against E-Skimming Threats
• Cyber Attack Risk Climbs in Latest WEF Regional Risk Report
• A new security mindset: Shift from prevention to monitoring