Magecart Volusion Breach Hits 20,000 eCommerce Sites with Web Skimming

The latest Magecart attack sees up to 20,000 online retailers breached

Website security has once again been thrown into the spotlight with the news that as many as 20,000 online stores have been breached by infamous hackers Magecart.

The syndicate of cybercriminals uses digital payment card skimming (DPCS), otherwise known as formjacking, to harvest consumers’ credit card and other personal information from the checkout pages of ecommerce sites. They do this by injecting malware directly onto the site or via third parties that provide functionality to the websites.

This was the case in this latest spree, where the group infiltrated cloud-based shopping cart software provider Volusion’s Google Cloud infrastructure and planted a piece of malicious code in a JavaScript file on its server. One of the most notable victims targeted in the attack was the Sesame Street online store, which sells merchandise from the iconic children’s show.

Organizations must look to implement technology to safeguard customer PII from Magecart style website attacks, the FBI has issued a warning specific to Magecart e-skimming attacks, urging organizations to “take note of this new breed of cyberattack and put security measures in place to protect end-users.”

Tip of the iceberg

The Volusion breach is just the latest in a long line of attacks by Magecart. In recent months, more than 17,000 online stores have been found to contain card-stealing malicious scripts.

The most substantial spike in Magecart instances occurred in June 2018, when Ticketmaster’s website was compromised – a result of Magecart placing skimmers on the firm’s checkout pages after compromising a third-party supplier.

The Magecart group responsible attacked a swathe of third parties, such as website analytics providers SociaPlus and Inbenta, gaining access to more than 800 ecommerce sites.

However, since then Magecart has continued to expand its attack methods. Last month it hit hotel chains’ booking sites, directly targeting ecommerce service providers instead of going for individual stores or third-party supply chains. Trend Micro found two hotel websites from different hotel chains that were being injected with a JavaScript code to load a remote script on their payment page.

“When we first checked the script’s link, it downloaded a normal JavaScript code. However, we found that the same link could also download a different script when we requested it from mobile devices like Android or iOS phones. The downloaded script for mobile devices is a credit card skimmer which can steal the information entered on the hotel booking page and send it to a remote server,” notes Trend Micro in its findings.

Both affected hotel websites were developed by Roomleader, a company from Spain that helps hotels build their online booking websites. The malicious code wasn’t injected directly into the website but rather into the script of Roomleader’s module called ‘viewedHotels’ which was provided to its clients and subsequently used for two websites of two different hotel chains.

“Despite the seemingly small number of affected sites, we still consider the attack significant given that one of the brands has 107 hotels in 14 countries, while the other has 73 hotels in 14 countries,” says Trend Micro.

New players

Elsewhere, researchers from Malwarebytes and HYAS claim to have found links between Magecart-based web skimming attacks and a sophisticated cybercrime group called Cobalt, which reportedly targets financial institutions worldwide.

In addition, researchers from IBM have found evidence that another cybercrime group called FIN6, which is related to Cobalt, has branched out into web-based card skimming. FIN6 is known for compromising physical point-of-sale systems of organizations from the retail, hospitality and restaurant sectors in order to steal payment card data. This link indicates that they are diversifying their operations and contributing to the spike in attacks on ecommerce sites.

“Based on their historical ties to the space, and the entrance of sophisticated actor groups such as FIN6 and others, it would be logical that Cobalt Group would also enter this field and continue to diversify their criminal efforts against global financial institutions,” the Malwarebytes and HYAS researchers said in their report.

Hard to spot

It does not stop there; researchers recently discovered that Magecart groups are also compromising creative ad script tags to leverage digital ad networks to generate traffic to their skimmers on thousands of sites at once. Its recent research shows that Magecart now makes up 17 percent of all malicious advertisements.

Only recently, the PCI Security Standards Council and the Retail and Hospitality Information Security and Analysis Center (ISAC) issued a joint warning regarding the growing threat of online skimming attacks, such as those perpetrated by Magecart.

Magecart breaches can be difficult to detect as many companies remain unaware that they have been compromised by attackers. New research by security vendor SonicWall reports that, on average, it takes 228 days for online retailers to identify a breach.

To protect against third-party compromise and malicious injects on your website, it is essential you have a real-time view of all the technologies running on your digital properties so you can perform a full privacy risk assessment in real time as web pages are loaded.

With Magecart attacks increasing in scale and frequency, as well as a host of new entrants starting to make their mark in this area, speak to Ensighten about how to deploy the best protection for your website, including an allowlist for approved vendors which ensures that only secure scripts load and blocks any non-secure requests from loading.