A massive 962 online shops have had their customers’ card details stolen in just 24 hours, in the largest Magecart-style automated card skimming card campaign identified to date.
That’s according to Amsterdam-based eommerce fraud protection specialist Sanguine Security Labs, which identified the attacks today.
The company – which provides a Magento malware scanner – has shared the skimmer’s codebase on a GitHub repo.
Magento is a widely used, open source-based ecommerce platform written in PHP that handles over $100 billion in gross merchandise volume every year.
Our crawlers detected 962 breached stores last night. It is the largest automated campaign to date (previously: MGCore with 700 stores). Decoded skimmer: https://t.co/CCVakmMrR5 pic.twitter.com/nIHQFwtRXN
— Sanguine Security Labs (@eComscan) July 5, 2019
Such attacks work via automated probes for compromised store extension software. When opportunities are found, cybercriminals insert a customized Javascript payment overlay for the specific site; essentially inserting a fake credit card payment section.
Willem de Groot from Sanguine Security told Computer Business Review: “This is the largest number of breaches [of] stores over a 24-hour period, which implies that their operation is highly automated. Victims are from all over the world, so were likely chosen opportunistically.”
He added: “I am still waiting for logs to accurately say how they got compromised, but at first glance it appears to be a PHP object injection exploit for an existing vulnerability.”
Magecart Attacks are Rampant
Among the most high-profile victims: British Airways, which had 380,000 customers’ payment details stolen in a card skimming attack last August (2018).
US-based threat research firm RiskIQ says it has identified seven core Magecart groups; an umbrella term for threat groups using a range of card skimmers.
RiskIQ identified the groups by analysing unique sets of infrastructure (pools of IP addresses, domains and specific server setup fingerprints); skimmers (unique obfuscation techniques and loading strategies) and targeting (each uses different methods to reach their victims).
It detailed a sprawling array of card skimmers using different techniques, including sophisticated counter-surveillance: one registers domains mimicking ad providers, analytics providers, victim’s domains, and anything else that can be used to hide in plain sight, for example, trying to blend in with normal network traffic by changing file paths to image file extensions instead of normal JavaScript extensions.