In many recent investigations, Foregenix has identified breaches synonymous with old Magecart style attacks that date back many years. The techniques currently employed, much as they are based on previously observed patterns, have now been modernised. Magecart attacks target cardholder data and customers’ personal information by intercepting ecommerce transactions through web or digital skimming techniques or form jacking.
Magecart attacks (so named as they mostly targeted Magento based ecommerce environments) exploded in 2015 infecting thousands of web sites in one of the biggest campaigns in the history of ecommerce attacks. Back then, Magecart attacks leveraged vulnerabilities within Magento most notably the Shoplift/SUPEE 5344 as previously noted by Foregenix. In its most basic form, once access to a site was gained, threat actors would inject malicious code that would act as a skimmer, infecting the site’s JavaScript source code. This would target cardholder data and customers’ personal information during checkout. This information was then base64 encoded (in some cases left as plain text) and exfiltrated to remote systems on the internet which were controlled by the attackers.
Over the years particularly between 2015 and 2022 the number of Magecart attack victims grew exponentially while Foregenix was at the heart of providing expert incident response and investigations helping to quickly contain and eradicate reported breaches to merchants of medium and large-scale enterprises.
Now in 2023, Foregenix is seeing a somewhat of a resurgence in Magecart attacks, with attackers now employing more creative techniques to avoid detection and ensure evasion. Modern techniques observed through investigations conducted lately by Foregenix indicate that attackers start off by breaching computers on the internet which serve as command & control (C2) servers from which they host their malicious code. The attackers move on to exploit vulnerabilities such as (CVE-2022-24086/7) that have been observed on unpatched Magento sites. Attacks may vary, but recently some compromised sites are injected with malicious JavaScript code in the form of an illegitimate Google Tag Manager (GTM). This would further load malware as a fake payment (checkout) page from the previously compromised legitimate site which acts as a C2 server. This way cardholder data would be harvested and exfiltrated to the attackers’ C2 servers. The above describes how rudimentary Magecart techniques have been used in conjunction with modern attack methods to compromise sites and more effectively evade detection. To an unsuspecting IT person, the Google Tag would appear as a legitimate piece of code on their site.
Preventing these attacks is one of the best ways to stay ahead of the likely threat of a breach. The following can be undertaken to mitigate these attacks:
Foregenix provides state of the art cutting edge software capable of detecting and alerting to attacks on the fly. With a combined total experience of more than 100 years in its team of cyber security experts, these are quickly responded to and contained, ensuring the least disruption to business and revenue generation.
Try our website security solutions for free and see how it can help you keep your website safe.
ThreatView
https://www.foregenix.com/solutions/threatview