Magecart Monthly: May
A new monthly feature blog on all things Magecart going on in the news. This summary gives you all the known facts about data breaches reported in the news as well as an insight from our own RapidSpike Security Researcher.
New attacks this month:
- Over 100 Websites Attacked
- Picreel and Alpaca Forms
- Forbes
- Cleor
- Leicester City FC
Over 100 Websites Attacked
Early May, NetLab 360 discovered an attack on over 100 websites, undetected for 5 months. Similar to other Magecart attacks, the malicious domain was imitating a legitimate domain, on this occasion the well-known e-commerce CMS software vendor, Magento.
The domain Magento-analytics [.] com was used to disguise the code. The domain was registered in Panama but the IP address has moved to several different countries. This behaviour prompted NetLab 360 to investigate the domain and this is when they discovered JavaScript scripts skimming financial data.
During the 5-month long attack
Picreel and Alpaca Forms
Sanguine Security Researcher Willem De Groot discovered malicious code on over 4,600 websites using Alpaca Forms and Picreel. 1,249 websites were infected via Picreel – an analytics service and 3,345 websites via open-source form builder project, Alpaca forms.
Koddos reported ‘(Alpaca Forms)…was initially built by CloudCMS before being open-sourced over eight years ago with the company still providing a free CDN (Content Delivery Network) service for the project they birthed. In the case of Alpaca, the hackers managed to infiltrate the CloudCMS managed CDN to modify one of the alpaca scripts.’. Willem De Groot told ZDNet it was the same threat actor who was responsible for both attacks. The sensitive payment data was sent to the cybercriminal’s server in Panama.
Cloud CMS have responded to the attack discovery stating:
‘We investigated this. It wasn’t related to Cloud CMS but rather to the Alpaca forms open source project. We removed the free hosting of those infected js files for now. And will get them back online as quick as we can. Thank you for all of the information you provided!’
So far there has been no further information regarding how these attacks took place, however, Cloud CMS
Forbes
Security Researcher Troy Mursch, the Founder of Bad Packets Report, told Threatpost he noticed the
A Forbes spokesperson states; ‘Forbes is fairly confident that no one was impacted by the skimmer.’, however, Mursch and experts at RapidSpike agree that if you have purchased anything from the Forbes subscription website during the time of the attack your details were most likely stolen.
Bleeping Computer
RapidSpike’s Security Expert investigated this attack and had the following to say;
‘This is the first high profile attack to use WebSockets to transfer stolen data and an example of how hackers are deploying more advanced features to get around services monitoring data breaches. Unfortunately, a lot of tools can’t detect WebSocket activity so this could be the start of a trend used by hacking groups. Obscurification techniques in the JavaScript skimmers themselves can only go so far, so it makes sense to try and mask the exfiltration process as well.’
Cleor
French Jewellery Chain
The code was injected into the website alongside a legitimate Facebook tracking script. Disguised in a similar manner to the BA skimmer code, external domain
A keystroke logger stole credentials immediately when entered and not just when submitted. Therefore, customers who did not complete their purchase are also at risk. Magecart attacks leave the legitimate payment unaffected and the payment will still process through to the website. This makes skimming difficult to spot without detection solutions.
There are no further details regarding infection time or the
Leicester City FC
Sneaking into the end of May, the discovery of a payment skimmer on the Leicester City FC merchandise website, compromising the site for 11 days between 23rd April and 4 May.
The Register first reported the attack, speaking to a ‘Foxes Follower’ who gave inside information explaining how Leicester City FC emailed customers with the following message:
“Technical investigations are still ongoing, but we can confirm that as a result of the incident your payment card information was compromised. This includes your card number, name of card holder, expiry date and CVV. We can confirm that your SecureCode was not compromised. That information is needed to attempt to conduct transactions using your account.”
A formal statement from the club explains that an on-going investigation into the data breach is taking place. Leicester City FC informed the Police, the Information Commissioner’s Office (ICO), and all affected customers.
This attack follows recent magecart attacks to other sporting websites including; Atlanta Hawks and Umbro Brasil’s merchandise stores, Topps sports collectible site and Puma Australia’s apparel site.
RapidSpike security researchers have taken the time to investigate all attacks which occurred in May. We can confidently say our Data Breach Monitor would have detected every attack. Click here to learn more about Magecart Attack Detection.
Other Security News:
- How hackers attacked Microsoft’s GitHub.
- Polymorphic Magecart Skimmer Uses Over Fifty Payment Gateways.
- Supply chain attacks: Mitigation and protection.
- Tips to keep your company and customers safe online.
- Data breaches present an
increasing risk for brand reputation. - The Rundown on Formjacking, what is it and how cybercriminals use it.