Last weekend, security researchers surfaced new supply-chain attacks involving Magecart web-skimmers placed on several web-based suppliers, including AdMaxim, CloudCMS, and Picreel. The breaches were part of a large-scale attack that hit a breadth of providers simultaneously intending to access as many websites as possible.
Web-based supply-chain attacks, which compromise vendors that supply code that adds or improves website functionality, gives attackers access to a wide range of victims at once because the compromised code often integrates with thousands of sites. In this blog, we'll break down the Magecart skimming activity on these seven providers and detail when and how the compromises occurred, including how some of them could have been far worse.
A Widespread Campaign
As the timestamps below indicate, the majority of these compromises happened near the same day, Friday, May 10th.
Some of the targets in this campaign do not even process payments on their websites, showing that the attackers used a “shotgun” approach to great effect, compromising as many websites as they could knowing that at least some of them would be lucrative. RiskIQ found evidence of many other sites also being compromised, including:
- A video-game trading platform in Japan
- A chemical manufacturing organization
- Various low-level news websites
CloudCMS is a headless content management system that's used to create and manage web content. The Magecart skimmer was inserted into a CloudCMS-hosted script on May 10th at 15:56:42 GMT, injected at the bottom of the script:
The Magecart attack on CloudCMS focused on a particular set of scripts, Alpaca Forms for Bootstrap. Luckily, the fact that the skimmer was isolated to just these files significantly reduced the number of sites exposed. CloudCMS hosted these scripts as part of CDN functionality and not for their customers, so customers were not affected by this attack unless they purposely added these scripts to their sites.
RiskIQ only observed a few hundred websites using CloudCMS-hosted scripts. Here are the compromised resources we saw (there are likely more):
Note: We have been in contact with CloudCMS, which launched an investigation after our initial reporting. They were able to pinpoint and mitigate the cause of the breach. They have since implemented improved security controls to avoid attacks like this in the future.
Here is an example of what it looked like in a RiskIQ crawl. You can spot the beginning of the skimmer at the bottom (skimmer highlighted in red):
Unlike CloudCMS, RiskIQ telemetry indicates that Picreel is a popular service. We saw hundreds of websites load up the script, but due to this mistake, it wouldn't always execute in a browser which likely spared victims. Here are the compromised resources we observed, but there are likely more:
AdMaxim is an ad platform provider for building out mobile ad campaigns. On May 10th at 20:20:05 GMT, Magecart actors compromised the AdMaxim CDN infrastructure and inserted their skimmer into scripts hosted on the AdMaxim CDN.
Here is an example of what it looks like in a crawl, skimmer highlighted with a red outline:
We haven’t observed many cases of AdMaxim’s CDN being used directly on websites—the skimmer doesn’t show up that much in our telemetry (a few hundred cases). Here are the compromised resources we observed (there are likely more):
RYVIU is a supplier that improves conversion rates on e-commerce website with analytics technology placed on customers’ sites.
The attackers compromised RYIVU’s CDN, which hosts the scripts loaded by customers, and the skimmer has been active since May 10th at 21:26:31 GMT. Here’s what the skimmer looked like injected on RYIVU’s script (skimmer highlighted in red):
We observed only this single resource to be compromised at this time.
AppLixir is an ad provider in the mobile app space that provides in-app video ads.
Attackers inserted a skimmer in one of the AppLixir SDK scripts that attackers on May 10th at 19:32:50 GMT. Here’s an example of the modified SDK loaded with the skimmer (skimmer highlighted in red):
We observed only this single resource to be compromised at this time.
eGain is an all-around supplier for IT with web-based applications.
While eGain was compromised and skimmers were inserted into multiple scripts, those scripts were used for the eGain website itself and did not appear on their customers’ sites. Attackers added the skimmers on May 1st at 05:30:07 GMT, and looks like this (skimmer highlighted in red):
We observed the following compromised resources:
OmniKick (Growth Funnel)
Growth Funnel is a content marketing supplier for growing customer engagement with a focus on email curation for marketing.
The attackers modified one of the main resources for Growth Funnel on their CDN on May 10th at 19:46:55 GMT. Below is an example of the injected skimmer (highlighted in red). Again, the attackers managed to break the original script with the broken encoding, possibly sparing more victims:
We only observed this single resource to be compromised.
Exfiltration & Infrastructure
The same skimmer was used for attacks against both services, which indicates it was the same Magecart Group. The exfiltration domain where stolen card data would have been sent was font-assets.com, which is associated with ww1-filecloud.com, another domain owned by the same attackers.
Part of what makes supply chain attacks so successful is that businesses lack visibility into their web-facing attack surface. In many cases, they have no idea that the third-party code on their web assets is dangerous—or that they're running that code at all.
Credit card-skimming groups like Magecart are gaining efficiency, so it takes less time than ever for consumers to see their data stolen, seemingly out of nowhere. In the end, it doesn't matter to consumers whether this happens as the result of a traditional breach or a web-based supply chain attack. The reputation of organizations that run payment forms online is at stake, as well as the overall confidence of online shoppers.
Magecart: Don't Lose Sight of the Problem
You've lately heard a ton of chatter from security vendors around Magecart — what it is, how it operates, and how you can defend against it. The problem is that most of these vendors lack Magecart expertise because they have no way of seeing it in the wild themselves. They’re copying the research of others, and some even add to the confusion by calling Magecart something completely different like “form jacking.”
Cut through the noise. Because of RiskIQ's internet-scale visibility and ability to view a business’s internet-facing attack surface as Magecart sees them, our researchers and technology first exposed, profiled, and analyzed Magecart. We now continue to detect it as it evolves.
The RiskIQ Intelligence Connector for Microsoft Azure Sentinel Is the Context-Rich Force Multiplier Security Teams Need
Digital initiatives have changed the enterprise attack surface and how organizations appear online, both to users and malicious actors. Meanwhile, the threat landscape has evo...