Last weekend, security researchers surfaced new supply-chain attacks involving Magecart web-skimmers placed on several web-based suppliers, including AdMaxim, CloudCMS, and Picreel. The breaches were part of a large-scale attack that hit a breadth of providers simultaneously intending to access as many websites as possible.

Web-based supply-chain attacks, which compromise vendors that supply code that adds or improves website functionality, gives attackers access to a wide range of victims at once because the compromised code often integrates with thousands of sites. In this blog, we’ll break down the Magecart skimming activity on these seven providers and detail when and how the compromises occurred, including how some of them could have been far worse.

A Widespread Campaign

As the timestamps below indicate, the majority of these compromises happened near the same day, Friday, May 10th.

Some of the targets in this campaign do not even process payments on their websites, showing that the attackers used a “shotgun” approach to great effect, compromising as many websites as they could knowing that at least some of them would be lucrative. RiskIQ found evidence of many other sites also being compromised, including:

• A video-game trading platform in Japan
• A chemical manufacturing organization
• Various low-level news websites

CloudCMS

CloudCMS is a headless content management system that’s used to create and manage web content. The Magecart skimmer was inserted into a CloudCMS-hosted script on May 10th at 15:56:42 GMT, injected at the bottom of the script:

The attack on CloudCMS focused on a particular set of scripts, Alpaca Forms for Bootstrap. Luckily, the fact that the skimmer was isolated to just these files significantly reduced the number of sites exposed. CloudCMS hosted these scripts as part of CDN functionality and not for their customers, so customers were not affected by this attack unless they purposely added these scripts to their sites.

RiskIQ only observed a few hundred websites using CloudCMS-hosted scripts. Here are the compromised resources we saw (there are likely more):

• https://code.cloudcms.com/alpaca/1.5.23/bootstrap/alpaca.min.js
• https://code.cloudcms.com/alpaca/1.5.24/bootstrap/alpaca.min.js

Note: We have been in contact with CloudCMS, which launched an investigation after our initial reporting. They were able to pinpoint and mitigate the cause of the breach. They have since implemented improved security controls to avoid attacks like this in the future.

Picreel

Picreel is an analytics provider used to record user behavior on a website to improve conversion rates on online stores. Because website owners embed Picreel JavaScript into their sites, it became an attractive target for Magecart actors.

Magecart actors compromised and modified multiple scripts used for Picreel. However, the attackers made a costly mistake, accidentally breaking the file’s JavaScript syntax, which caused the script to fail to execute in some browsers so that the browsers could not run the skimming code on the site. In this attack, the skimmer was put in the script on May 10th at 21:26:56 GMT.

Here is an example of what it looked like in a RiskIQ crawl. You can spot the beginning of the skimmer at the bottom (skimmer highlighted in red):

The top part of the skimmer contains the broken JavaScript. The question mark blocks indicate non-ASCII values. The script at the top is a compressed version of a part of the old script and contains invalid characters, which was a major mistake by the attackers.

Unlike CloudCMS, RiskIQ telemetry indicates that Picreel is a popular service. We saw hundreds of websites load up the script, but due to this mistake, it wouldn’t always execute in a browser which likely spared victims. Here are the compromised resources we observed, but there are likely more:

• https://system.picreel.com/js/load_script.min.js
• https://assets.pcrl.co/js/jstracker.min.js
• https://system.picreel.com/js/blocked_sites.js

AdMaxim

AdMaxim is an ad platform provider for building out mobile ad campaigns. On May 10th at 20:20:05 GMT, Magecart actors compromised the AdMaxim CDN infrastructure and inserted their skimmer into scripts hosted on the AdMaxim CDN.

Here is an example of what it looks like in a crawl, skimmer highlighted with a red outline:

We haven’t observed many cases of AdMaxim’s CDN being used directly on websites—the skimmer doesn’t show up that much in our telemetry (a few hundred cases). Here are the compromised resources we observed (there are likely more):

• https://cdn.admaxim.com/scripts/viewablity-ver-3.0.1.js
• https://ads.admaxim.com/rm/assets/Rm-common-files/js/tracking2.7.2.js
• https://ads.admaxim.com/jsonData_1556114641298.js
• https://ads.admaxim.com/jsonData_1556109561518.js

RYVIU

RYVIU is a supplier that improves conversion rates on e-commerce website with analytics technology placed on customers’ sites.

The attackers compromised RYIVU’s CDN, which hosts the scripts loaded by customers, and the skimmer has been active since May 10th at 21:26:31 GMT. Here’s what the skimmer looked like injected on RYIVU’s script (skimmer highlighted in red):

We observed only this single resource to be compromised at this time.

AppLixir

AppLixir is an ad provider in the mobile app space that provides in-app video ads.

Attackers inserted a skimmer in one of the AppLixir SDK scripts that attackers on May 10th at 19:32:50 GMT. Here’s an example of the modified SDK loaded with the skimmer (skimmer highlighted in red):

We observed only this single resource to be compromised at this time.

eGain

eGain is an all-around supplier for IT with web-based applications.

While eGain was compromised and skimmers were inserted into multiple scripts, those scripts were used for the eGain website itself and did not appear on their customers’ sites. Attackers added the skimmers on May 1st at 05:30:07 GMT, and looks like this (skimmer highlighted in red):

We observed the following compromised resources:

• http://hd.egain.com/dx19/js/bootstrap.min.js
• http://hd.egain.com/dx19/js/ie/respond.min.js
• http://hd.egain.com/dx19/js/includes/contact_form.js
• http://hd.egain.com/dx19/js/includes/subscribe.js
• http://hd.egain.com/dx19/js/jquery.min.js
• http://hd.egain.com/dx19/js/main.js
• http://hd.egain.com/dx19/js/modernizr.min.js
• http://hd.egain.com/dx19/js/plugins/appear.js
• http://hd.egain.com/dx19/js/plugins/count-to.js
• http://hd.egain.com/dx19/js/plugins/countdown.js
• http://hd.egain.com/dx19/js/plugins/directions.js
• http://hd.egain.com/dx19/js/plugins/flexslider.js
• http://hd.egain.com/dx19/js/plugins/google-map.js
• http://hd.egain.com/dx19/js/plugins/infobox.js
• http://hd.egain.com/dx19/js/plugins/magnific-popup.js
• http://hd.egain.com/dx19/js/plugins/nicescroll.js
• http://hd.egain.com/dx19/js/plugins/pace.js
• http://hd.egain.com/dx19/js/plugins/slick.js
• http://hd.egain.com/dx19/js/plugins/validate.js
• http://hd.egain.com/dx19/js/plugins/wow.js

OmniKick (Growth Funnel)

Growth Funnel is a content marketing supplier for growing customer engagement with a focus on email curation for marketing.

The attackers modified one of the main resources for Growth Funnel on their CDN on May 10th at 19:46:55 GMT. Below is an example of the injected skimmer (highlighted in red). Again, the attackers managed to break the original script with the broken encoding, possibly sparing more victims:

We only observed this single resource to be compromised.

Exfiltration & Infrastructure

The same skimmer was used for attacks against both services, which indicates it was the same Magecart Group. The exfiltration domain where stolen card data would have been sent was font-assets.com, which is associated with ww1-filecloud.com, another domain owned by the same attackers.

Both domains have been taken down and/or sinkholed with the help of Abuse.CH and the Shadowserver Foundation.

Conclusions

Part of what makes supply chain attacks so successful is that businesses lack visibility into their web-facing attack surface. In many cases, they have no idea that the third-party code on their web assets is dangerous—or that they’re running that code at all.

Credit card-skimming groups like Magecart are gaining efficiency, so it takes less time than ever for consumers to see their data stolen, seemingly out of nowhere. In the end, it doesn’t matter to consumers whether this happens as the result of a traditional breach or a web-based supply chain attack. The reputation of organizations that run payment forms online is at stake, as well as the overall confidence of online shoppers.

Magecart: Don’t Lose Sight of the Problem

You’ve lately heard a ton of chatter from security vendors around Magecart — what it is, how it operates, and how you can defend against it. The problem is that most of these vendors lack Magecart expertise because they have no way of seeing it in the wild themselves. They’re copying the research of others, and some even add to the confusion by calling Magecart something completely different like “form jacking.”

Cut through the noise. Because of RiskIQ’s internet-scale visibility and ability to view a business’s internet-facing attack surface as Magecart sees them, our researchers and technology first exposed, profiled, and analyzed Magecart. We now continue to detect it as it evolves.