Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
2018 Holiday Shopping Season Threat Activity: A Snapshot
The 2018 holiday shopping season was the largest ever for online retailers, but threat actors filled their pockets, too.
So what did the threat activity around this shopping frenzy look like?
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
With our internet-wide telemetry, RiskIQ has discovered some of the most significant Magecart attacks ever carried out. These involved a host of different tools and tactics including several different inject types, skimmers of varying sophistication, and countless intrusion methods. But for every Magecart attack that makes headlines, we detect thousands more that we don’t disclose. A considerable portion of these lesser-known breaches involves third-party payment platforms.
The most notorious of these payment platforms is Magento. RiskIQ’s first blog post on Magecart introduced it as a new breed of threat centered around attacks on Magento, and recent developments show that stores running Magento are still a prime target for skimming groups. Considering the frequency with which Magecart groups target Magento, many security professionals associate Magecart (and web skimming in general) with Magento.
However, web skimming goes well beyond Magento. Skimming groups target almost any web environment, including dozens of other online shopping platforms used by stores around the world.
In this post, we’ll explain how the rise of web-skimming coincides with the development and evolution of online shopping platforms that not only power large e-tailers but also thousands of smaller stores. While breaches of big brands like British Airways and Ticketmaster have become infamous, it’s smaller stores, more prone to security flaws, that help Magecart thrive.
We’ll also break down a large-scale Magecart Group 12 campaign uncovered by RiskIQ researchers abusing the OpenCart platform, which is run by thousands of e-commerce sites.
The first online transaction took place in 1994, and the e-commerce industry took off soon after that, with the emergence of e-commerce giants Amazon and eBay. Thousands of smaller stores also set up shop during this time.
Before Magento gained widespread popularity, there were several platforms these self-hosted stores to use. One of these early platforms was OpenCart, which was created in 1998 but didn’t get traction until 2009 or so when a stable PHP-based version was released. OSCommerce, another hugely popular platform, was introduced around 2000.
Magento didn’t come into existence until 2007 but is now running on tens of thousands of sites, mainly due to Adobe’s acquisition of the platform. It’s now the second-largest presence in RiskIQ’s telemetry datasets behind Shopify, just ahead of OpenCart and OSCommerce. With the ubiquity of these platforms (especially with self-hosted solutions), it’s often exposed to vulnerabilities that make it a prime target for skimming attacks.
Major online stores running these platforms are usually victimized when a platform-wide vulnerability comes out that requires immediate patching. But the majority of outdated platforms run on smaller, mostly unknown stores. Attackers target plugins installed on these platforms, which are often vulnerable because their developers write code for functionality over security.
Last time we reported on Group 12, we explained how they were able to get into a French advertising agency to deploy their skimmer on a broad set of websites. We haven’t posted an update on this group, but that doesn’t mean they’ve stopped doing damage.
The most important note about Group 12 is that anything providing e-commerce services is a target for them. We’ve seen them attack the WordPress platform and breach the ad provider. They’ve also compromised thousands of sites running e-commerce platforms by breaching versions of Magento, OpenCart, and OSCommerce.
Group 12 breached OpenCart sites to inject their skimmer similar to the Magento attacks, starting with the insertion of a very well-picked domain name: batbing.com.
Here’s what it looks like cleaned up:
The small snippet looks for the word “checkout” in the URL the user is visiting, and only then inserts the skimmer script. It’s a simple but extremely effective technique. Here is the actual skimmer code once loaded:
The skimmer itself hasn’t changed much since the Adverline incident, including the unmistakable self-checking obfuscation layer they apply on their skimmer.
One other notable element of this attack is the impersonation attempt for the Bing.com search engine script:
The normal Bing URL looks very similar:
We can also find references to the skimmer in a forum post on the OpenCart website. A website administrator noted that his OpenCart 188.8.131.52 website had been compromised with a skimmer. The post clearly shows the Group 12 injected skimmer script:
Reading through the OpenCart as well as the OsCommerce forums, we can find multiple instances where administrators were able to figure out they were breached, but the question of “how” remains unsolved.
The domain batbing.com has been taken offline as part of this publication. We would like to thank AbuseCH and the Shadowserver Foundation for their continued support on these actions.
It’s likely that new breeds of these web skimming attacks will emerge in the future, whether by new or existing Magecart groups. They’re currently focusing on payment data, but we’re already seeing moves to skim login credentials and other sensitive information. This widens the scope of potential Magecart victims far beyond e-commerce alone.
This means businesses need a continued focus on visibility into their internet-facing attack surfaces, as well as scrutinize of the third-party services that constitute their web applications. Magecart’s recent ravages have shown that a lot of the investment in securing corporate infrastructure hasn’t worked. Companies will continue to be overwhelmed by the scale and tenacity of these kinds of groups, especially as attacks launch from outside the firewall and the data theft occurs in the user’s browser. This is well outside the scope of modern network monitoring tools.
*We would like to thank Parthiban from Anomali for sharing his initial findings. Collaboration on threats like this is always appreciated.
Lately, you’ve heard a ton of chatter from security vendors around Magecart — what it is, how it operates, and how you can defend against it. The problem is that most of these vendors lack Magecart expertise because they have no way of seeing it in the wild themselves. They’re working from the research of others, and some even add to the confusion by calling Magecart something completely different like “form jacking.”
Cut through the noise. Because of RiskIQ’s internet-scale visibility and ability to view a business’s internet-facing attack surface as Magecart sees them, our researchers and technology first exposed, profiled, and analyzed Magecart. We now continue to detect it as it evolves.
The #Magecart supply-chain attack frenzy continues with AppLixir, RYVIU, OmniKick, eGain, AdMaxim, CloudCMS, and Picreel falling victim https://t.co/b7UWqL2PzW #BrowserThreats
Regarding Forbes: the skimmer was customized for Forbes, it wasn't an automated attack. Here's the rest of the infrastructure (not just for Forbes) they've been setting it up since January:
Fascinating learning about the cyber attacker's playbook from Yonathan Klijnsma: step 1: gain entry. 2. more reconnaissance 3. Theft, then profit #transportsecurity #TSC
Today at the #TransportSecurityCongress, RiskIQ's
@ydklijnsma spoke about the #Magecart breach of British Airways, which you can read more about here: https://t.co/cPqEqVVllj (Photo credit @SmartRailNews)
Context is everything! Here's how using Tags and Classifications in @RiskIQ PassiveTotal can get your team aligned and supercharge your investigations https://t.co/Wk5OfBZPu2 #ThreatHunting