Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

Magecart Group Continues Targeting E-Commerce Sites

Arxan Analyzes Vulnerabilities in Over 80 Sites Hit by 'Formjacking' Attacks
Magecart Group Continues Targeting E-Commerce Sites

In a series of recent attacks attributed to the umbrella criminal group known as Magecart, malicious JavaScript code was injected into over 80 e-commerce websites to steal credit card and other customer data, according to a new report from the security firm Arxan, which highlights the sites' vulnerabilities.

See Also: Close the Gapz in Your Security Strategy

The report describes how numerous web applications used by online shopping sites are susceptible to "formjacking" attacks, which use malicious JavaScript code to skim credit card and other customer data from payment pages and send that information to the attackers. These types of virtual skimmers are also referred to as JavaScript skimmers, JavaScript sniffers or JS sniffers.

A previous report by Symantec found nearly 4,800 websites are subjected to formjacking attacks each month.

And while security researchers have been calling more attention to attacks from Magecart-affiliated groups, the Arxan report shows these types of incidents are widespread, with many types of e-commerce sites targeted. The attacked sites identified in the report included some associated with major consumer brands in the motorsports industry and luxury apparel market.

Bad Code

A major concern is that many companies are not updating and patching their web applications, or not checking if the code has been tampered with by attackers, Aaron Lint, chief scientist and vice president of research at Arxan, tells Information Security Media Group.

"Vendors need to make sure they are protecting their websites and web apps - especially when they are collecting personally identifiable information or financial information from customers," Lint says.

"The Magecart threat is not new - and has very high profile, public breaches - so vigilance is key. In addition to basic housekeeping - like keeping website platforms patched and updated to the latest versions - ensure your web code has been audited for any signs of code tampering, and make sure you have a security solution in place that is able to identify any attempt at code tampering and protect against this type of attack and others targeting the client side."

(Image: Arxan and Aite Group)

In many cases, even when the malicious JavaScript has been removed, the attackers will simple re-inject it into the site, researchers say.

Earlier, security consultant Willem de Groot, who is based in the Netherlands, found that one in five online stores that suffered a Magecart infection cleaned it up only to be re-infected usually within five days (see: InfoWars: Magecart Infection Points to 'Industrial Sabotage').

The Arxan study also found repeat infections on some sites. "We did notice websites that had been infected at the same time by different Magecart groups - code from one Magecart group directly above the code for another Magecart group," Lint says.

The report found that because so many web applications lack basic security, such as code obfuscation, the Magecart attackers are able to read either the basic JavaScript or HTML5 code found in these pages in plaintext. This allows them to plan the attack and inject their own malicious code into the site, the report notes.

"CISOs really need to take another look at how they are protecting websites and, more importantly, protecting the data being collected from those websites, and ensure they have the right security tools in place to keep that data secure," Lint says. "An organization’s threat model must include the attack vector of their application code running on untrusted environments and the ways that information can be exfiltrated when the client code is changed or replaced."

Easy to Find

As part of its research into these attack groups, Arxan investigators, along with Alissa Knight, a senior analyst at Aite Group, searched the web for obfuscated JavaScript associated with previous Magecart breaches. In less than three hours, the researchers located over 80 sites containing the skimmers, including sites in the U.S., Canada, Latin America, Europe and parts of Asia.

After finishing their investigation, the researchers notified the FBI and the affected sites.

Most of the e-commerce sites studied were running older versions of applications that had not been patched and were susceptible to either unauthenticated uploads or remote code execution, the researchers found.

In addition, many of the sites are built on top of the Magento content management system, which is a frequent target of Magecart attacks (see: Surge in JavaScript Sniffing Attacks Continues).

Magecart groups are known to target other content management platforms as well, including Shopify, OpenCart, OSCommerce and Wordpress, Lint notes.

Ongoing Threat

The Magecart umbrella organization, which includes at least 12 criminal groups, dates back to 2014. But the number of attacks associated with these groups has steadily increased over the last 18 months.

In recent months, Magecart-associated groups has been suspected in attacks against shoe manufacturer Fila as well as the bedding sites and, according to an earlier analysis by security firms Group-IB and RiskIQ. In addition, British Airways, Ticketmaster and Newegg have also been attacked (see: RiskIQ: Magecart Group Targeting Unsecured AWS S3 Buckets).

In July, Britain's privacy watchdog issued a "notice of intent" that it plans to fine British Airways about $230 million for violating the EU's General Data Protection Regulation. That violation of the law is believed to be tied to a Magecart attack that exposed personal details of about 500,000 customers (see: British Airways Faces Record-Setting $230 Million GDPR Fine).

In most cases, the Magecart groups don’t use the stolen credit card information themselves, but rather sell it in bulk on dark net sites, researchers say. This data has been found on underground forums including Empire Markets, Dream Markets, Wall Street Markets, E-Shop, BigDeal, and Vahalla.

Skimmers Proliferate

One reason that formjacking attacks have increased is the availability of JavaScript sniffers that can be bought for $250 to $5,000 on dark net sites and then tailored to meet specific needs, according to the security firm Group-IB.

These tools work in much the same way as a credit card skimmer. But instead of physically attaching a device to an ATM, a JS sniffer uses a few lines of code injected into an e-commerce site to skim data that consumers use to buy goods..

In many cases, the skimmers remain invisible to both the retailers and their customers, Lint says.

"There is not much that end users can do to protect themselves," he says. "Infected Magecart sites are invisible to them - although sometimes a consumer security solution will block or warn against a potentially malicious site that you are trying to visit."

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.