Magecart Monthly: 65K attempts to steal credit card information in July

Read the latest news on Magecart attacks! We’ve trawled the web for the latest news of data breaches, including updates on previous attacks with insights from our own Security Researcher.

Latest News:

  • 962 Infected Websites
  • British Airways Update
  • Pelican Cases
  • Amazon S3 Buckets
  • 65K Attempts to Steal Credit Card Information in July

962 Infected Websites 

In the largest 24-hour Magecart-style web-skimming attack to date, 962 online shops have had their customers’ card details stolen. Willem de Groot told Computer Business Review, “This is the largest number of breaches [of] stores over a 24-hour period, which implies that their operation is highly automated. Victims are from all over the world, so were likely chosen opportunistically.”

RapidSpike Security Researchers looked into the JavaScript skimmer code uploaded to GitHub and agreed the malicious code was developed to steal customer’s sensitive details including; names, phone numbers, and addresses and of course, payment details. They explain, “Looking into this attack it appears the campaign scanned vulnerabilities, in particular missing PHP patches, in website’s security and injected malicious JavaScript onto sites with flaws.” 

They go on to say, “Some Magecart groups have specific target markets, however, this campaign was designed to compromise any site it can. From our experience monitoring Magecart attacks we have found malicious code on websites of companies of all sizes, it’s important website owners know there are detection tools available to protect their sites. The RapidSpike Data Breach Monitor can detect formjacking, supply chain and web skimming attacks before a data breach occurs.”

Yonathan Klijnsma told Bleeping Computer that the group is believed to be Magecart Group 7 behind the attack whose modus operandi includes automated exploits for known bugs and targeting a large quantity of sites. Klijnsma explains the Magecart group “does not use servers, adding the script tag directly on the website so a victim normally encounters this skimmer as a small snippet of script on their website.”

Amazon S3 Buckets

In early April a Magecart campaign began in which over 17,000 websites have been infected with malicious skimming code due to misconfigured Amazon S3 buckets. The attack affected websites including those in the top 2,000 Alexa Rankings. It is believed to be Magecart Group 7 who are responsible for the attack.

On 4th July Threat Researcher @micham discovered a Magecart skimmer on newspaper site The Guardian. Security Researcher Jerome Segura explained that an old AWS S3 bucket was exploited using wix-cloud[.]com as a skimmer gate.

Yonathan Klijnsma explains, “These actors automatically scan for buckets which are misconfigured to allow anyone to view and edit the files it contains. Once the attackers find a misconfigured bucket, they scan it for any JavaScript file (ending in .js).” The Hacker News (THN) reported the attack describing it like “shooting an arrow in the dark”. Researchers told THN “Although the attackers have had lots of success spreading their skimmer code to thousands of websites, they sacrificed targeting in favor of reach.” 

Not all targets landed on payment pages, however, due to the nature of the attack, they only need to land on one payments page to gain a substantial return on investment. Dev Pro Journal reported that it is estimated that by stealing just 10 credit cards per website, cybercriminals earn up to $2.2M per month via formjacking attacks. Recommendations for attacks include monitoring third-parties and where data is being sent to.

British Airways Update

The Information Commissioner’s Office (ICO) explained they intend to fine British Airways £183.4m for their data breach last year. British Airways disclosed they had suffered an attack between April and June 2018 which affected around 500,000 customers. After an “extensive investigation” the ICO have concluded customer’s data was compromised by “poor security arrangements”. British Airways have responded to the proposed fine saying they’re “surprised and disappointed”.

Pelican Cases

As mentioned in Magecart Monthly: Record £183m fine for British Airways, Twitter has become a space for individuals and security researchers to report Magecart discoveries. On the 8th July, Jerome Segura discovered a web-skimmer on the website of suitcase and travel accessory provider, Pelican. Segura tweeted his discovery including the Skimmer: write-cdn[.]com, 93.158.203[.]189 and Exfiltration gate: nogaron[.]com, 185.143.223[.]105, explaining in a note that “skimmer JS and gate change often”. Segura made Pelican aware of the website skimmer and it appears the website is now clean. 

65K attempts to steal credit card information in July

Security Boulevard reported that Security researchers have detected and blocked over 65,000 attempts to steal credit card information from compromised online stores during July. The data collected showed the distribution of attacks with the United States taking up a lion’s share of attacked websites with 53.5%, followed by Canada at 15.7% and Germany with 6.8%. 

Top 10 Countries for Magecart activity in July (Source: Malwarebytes)
Source: Top 10 Countries for Magecart activity in July (Source: Malwarebytes)

RapidSpike security researchers have taken the time to investigate all attacks mentioned. We can confidently say our Data Breach Monitor would have detected every attack. Click here to learn more about our Data Breach Monitor.

Detect website skimming, formjacking and supply chain attacks. Easily protect against unauthorised changes to your critical JavaScript files with RapidSpike Data Breach Monitor.

Other security News: