Magecart Monthly: May
A new monthly feature blog on all things Magecart going on in the news. This summary gives you all the known facts about data breaches reported in the news as well as an insight from our own RapidSpike Security Researcher.
New attacks this month:
- Over 100 Websites Attacked
- Picreel and Alpaca Forms
- Leicester City FC
Over 100 Websites Attacked
Early May, NetLab 360 discovered an attack on over 100 websites, undetected for 5 months. Similar to other Magecart attacks, the malicious domain was imitating a legitimate domain, on this occasion the well-known e-commerce CMS software vendor, Magento.
During the 5-month long attack
Picreel and Alpaca Forms
Sanguine Security Researcher Willem De Groot discovered malicious code on over 4,600 websites using Alpaca Forms and Picreel. 1,249 websites were infected via Picreel – an analytics service and 3,345 websites via open-source form builder project, Alpaca forms.
Koddos reported ‘(Alpaca Forms)…was initially built by CloudCMS before being open-sourced over eight years ago with the company still providing a free CDN (Content Delivery Network) service for the project they birthed. In the case of Alpaca, the hackers managed to infiltrate the CloudCMS managed CDN to modify one of the alpaca scripts.’. Willem De Groot told ZDNet it was the same threat actor who was responsible for both attacks. The sensitive payment data was sent to the cybercriminal’s server in Panama.
Cloud CMS have responded to the attack discovery stating:
‘We investigated this. It wasn’t related to Cloud CMS but rather to the Alpaca forms open source project. We removed the free hosting of those infected js files for now. And will get them back online as quick as we can. Thank you for all of the information you provided!’
So far there has been no further information regarding how these attacks took place, however, Cloud CMS
Security Researcher Troy Mursch, the Founder of Bad Packets Report, told Threatpost he noticed the
A Forbes spokesperson states; ‘Forbes is fairly confident that no one was impacted by the skimmer.’, however, Mursch and experts at RapidSpike agree that if you have purchased anything from the Forbes subscription website during the time of the attack your details were most likely stolen.
RapidSpike’s Security Expert investigated this attack and had the following to say;
French Jewellery Chain
The code was injected into the website alongside a legitimate Facebook tracking script. Disguised in a similar manner to the BA skimmer code, external domain
A keystroke logger stole credentials immediately when entered and not just when submitted. Therefore, customers who did not complete their purchase are also at risk. Magecart attacks leave the legitimate payment unaffected and the payment will still process through to the website. This makes skimming difficult to spot without detection solutions.
There are no further details regarding infection time or the
Leicester City FC
Sneaking into the end of May, the discovery of a payment skimmer on the Leicester City FC merchandise website, compromising the site for 11 days between 23rd April and 4 May.
The Register first reported the attack, speaking to a ‘Foxes Follower’ who gave inside information explaining how Leicester City FC emailed customers with the following message:
“Technical investigations are still ongoing, but we can confirm that as a result of the incident your payment card information was compromised. This includes your card number, name of card holder, expiry date and CVV. We can confirm that your SecureCode was not compromised. That information is needed to attempt to conduct transactions using your account.”
A formal statement from the club explains that an on-going investigation into the data breach is taking place. Leicester City FC informed the Police, the Information Commissioner’s Office (ICO), and all affected customers.
This attack follows recent magecart attacks to other sporting websites including; Atlanta Hawks and Umbro Brasil’s merchandise stores, Topps sports collectible site and Puma Australia’s apparel site.
RapidSpike security researchers have taken the time to investigate all attacks which occurred in May. We can confidently say our Data Breach Monitor would have detected every attack. Click here to learn more about our Data Breach Monitor.
Other Security News:
- How hackers attacked Microsoft’s GitHub.
- Polymorphic Magecart Skimmer Uses Over Fifty Payment Gateways.
- Supply chain attacks: Mitigation and protection.
- Tips to keep your company and customers safe online.
- Data breaches present an
increasingrisk for brand reputation.
- The Rundown on Formjacking, what is it and how cybercriminals use it.
Become a part of RapidSpike and start looking after
your online business – request a trial today