magento hack javascript code data privacy security awareness training cybersecurity

Do You Shop Online?

Over 100 ecommerce sites had malicious JavaScript code injected into the payment sections, stealing credit card and customer information.

Researchers at the Chinese IT firm Qihoo 360 Netlab reported that this attack, which has been ongoing for about five months, has affected sites that sell a range of consumer goods, including high-end handbags, mountain bikes, baby products, wine, and electronics. According to Data Breach Today, 105 ecommerce websites were impacted.

This scheme involves a malicious domain name called magento-analytics[.]com, which Netlab researchers first noticed in October 2018 and have been tracking ever since. The attackers are apparently trying to disguise themselves by using a name that closely resembles Magento, a content systems management platform owned by Adobe and used by thousands of online retailers.

Skimmer Hack Attack

This is the second time in a week that security researchers have uncovered a skimmer attack targeting ecommerce websites. On May 3, Trend Micro described the activities of a new group called Mirrorthief, which targeted online campus stores in both the U.S. and Canada.

magento hack javascript code data privacy security awareness training cybersecurity

Many other attacks using skimmers, also called JavaScript sniffers, are closely associated with an umbrella group called Magecart, which has increased its activity over the last year.

While Netlab doesn’t mention Magecart in its report, the new attack it describes bears all the hallmarks of the group, says Yonathan Klijnsma, a threat researcher at RiskIQ who has been tracking Magecart and skimmer attacks over the last several months.

“It is exactly the same,” Klijnsma tells Information Security Media Group. “This isn’t a new style of attack; it’s just another skimmer. The skimmer used here comes from a kit you can buy to start your web-skimming empire. We’ve seen the same code on a lot of other websites but served from many different domains because of the skimmer’s accessibility.”

Researchers believe Magecart-related groups have been responsible for attacks against British Airways, Ticketmaster, Newegg, and other sites.

Payment Sites in the Crosshairs

magento hack javascript code data privacy security awareness training cybersecurity

Over the last 12 months, criminal gangs have used skimmers or JavaScript sniffers in a series of attacks to steal credit card numbers and then sell them on Dark Web sites.

One reason that skimmers and JavaScript sniffers are gaining in popularity is that they are inexpensive to buy or develop, are difficult to remove once installed on a target site, and can be tailored to different needs and specific attacks, according to Group-IB, which has published extensive research on these malicious tools.

These tools work in much the same way as a credit card skimmer. But instead of physically attaching a device to an ATM, a JS sniffer uses a few lines of code injected onto an e-commerce site to skim data that consumers use to buy goods. The malware is available for purchase for $250 to $5,000 on underground forums, the Group-IB analysis found.

In this latest case, Netlab researchers were able to track how the malicious JavaScript works on sites that were infected. In most cases, these skimmers are designed to steal credit card data, including the customer’s name, card number, expiration date and CVV information.

magento hack javascript code data privacy security awareness training cybersecurity

In an example that Netlab researchers show, the malicious JavaScript runs in the background until the customer goes to the “Payment Information” page. Once the CVV information for the credit card is inputted, the malicious code sends the stolen data to the attack group.

Malicious Domain

At the heart of this new attack is the magento-analytics[.]com domain that Netlab researchers have tracked for several months. Originally registered in Panama, the IP address has moved several times to such far-flung locations as Arizona, Moscow and Hong Kong, according to the research.

From a regular browser, the magento-analytics[.]com domain returns a 403 page, and a Google search doesn’t produce any answers either. But Netlab researchers were able to track the domain and study it.

In their analysis, the researchers note that the domain name has been hosting JS scripts since the beginning of December 2018. Once the JavaScript is loaded onto a site, the script attempts to skim credit card and other data every 500 milliseconds. And once it collects that information, it sends it back the gang controlling the attack, the Netab researchers report.

The legitimate Magento platform is a frequent target of Magecart and other groups due to its popularity with online retailers, according to research published by RiskIQ and Group-IB. One of the skimmers that these groups use is called MagentoName because it is designed to take advantage of vulnerabilities in older versions of the Magento content management system.

“For the most part, these attacks are relatively easy to undertake with a low bar of entry in terms of criminal sophistication,” Klijnsma of RiskIQ says. He urges online retailers to update and patch their content management platforms to avoid these types of attacks.

The full list of sites in Netlab 360’s report is:

adirectholdings[.]com
adm[.]sieger-trophaen[.]de
adventureequipment[.]com[.]au
alkoholeswiata[.]com
alphathermalsystems[.]com
ameta-anson[.]com
ametagroup[.]com
ametawest[.]com
armenianbread[.]com
autosportcompany[.]nl
bagboycompany[.]com
boardbookalbum[.]biz
boardbookalbum[.]com
boardbookalbum[.]net
boardbookalbums[.]biz
boardbookalbums[.]net
burmabibas[.]com
businesstravellerbags[.]com
clotures-electriques[.]fr
cltradingfl[.]com
colorsecretspro[.]com
connfab[.]com
cupidonlingerie[.]fr
devantsporttowels[.]com
diamondbladedealer[.]com
digital-2000[.]com
emersonstreetclothing[.]com
equalli[.]com
equalli[.]co[.]uk
equalli[.]de
eu[.]twoajewelry[.]com
eyeongate[.]net
fitnessmusic[.]com
fluttereyewear[.]com
freemypaws[.]info
gabelshop[.]ch
gosuworld[.]com
hotelcathedrale[.]be
huntsmanproducts[.]com[.]au
iconicpineapple[.]com
ilybean[.]com
imitsosa[.]com
jasonandpartners[.]com[.]au
jekoshop[.]com
jekoshop[.]de
junglefeveramerica[.]com
kermanigbakery[.]com
kermanigfoods[.]com
kings2[.]com
koalabi[.]com
lamajune[.]com
li375-244[.]members[.]linode[.]com
libertyboutique[.]com[.]au
lighteningcornhole[.]com
lighting-direct[.]com[.]au
lightingwill[.]com
liquorishonline[.]com
lojacristinacairo[.]com[.]br
magformers[.]com
maxqsupport[.]com
mdcpublishers[.]com
meizitangireland[.]com
monsieurplus[.]com
mont[.]com[.]au
mtbsale[.]com
noirnyc[.]com
nyassabathandbody[.]com
pgmetalshop[.]com
pinkorchard[.]com
pizzaholic[.]net
powermusic[.]com
prestigeandfancy[.]com
prestigebag[.]com
prestigefancy[.]com
prestigepakinc[.]com
prettysalonusa[.]com
promusica[.]ie
qspproducts[.]com
qspproducts[.]nl
qspracewear[.]nl
rightwayhp[.]com
safarijewelry[.]com
schogini[.]biz
shopatsimba[.]com
spalventilator[.]nl
spieltraum-shop[.]de
storageshedsoutlet[.]com
stylishfashionusa[.]com
suitpack[.]co[.]uk
svpmobilesystems[.]com
task-tools[.]com
tiroler-kraeuterhof[.]at
tiroler-kraeuterhof[.]com
tiroler-kraeuterhof-naturkosmetik[.]com
ucc-bd[.]com
ussi-md[.]com
utvcover[.]com
vezabands[.]com
vitibox[.]co[.]uk
waltertool[.]info
waltertool[.]org
waltertools[.]com
workoutmusic[.]com

Ferguson, Scott. (2019, May 9). New Skimmer Attack Steals Data From Over 100 Ecommerce Sites. Data Breach Today.

  • 3
  • 2
  •  
  •  
  •  
  •  
    5
    Shares