View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
July 5, 2019updated 08 Jul 2019 9:03am

Card Details Stolen from 962 Websites in 24-Hours Magecart Spree

Latest Magecart-style campaign hits nearly 1,000 victims

By CBR Staff Writer

A massive 962 online shops have had their customers’ card details stolen in just 24 hours, in the largest Magecart-style automated card skimming card campaign identified to date.

That’s according to Amsterdam-based eommerce fraud protection specialist Sanguine Security Labs, which identified the attacks today.

The company – which provides a Magento malware scanner – has shared the skimmer’s codebase on a GitHub repo.

Magento is a widely used, open source-based ecommerce platform written in PHP that handles over $100 billion in gross merchandise volume every year.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Such attacks work via automated probes for compromised store extension software. When opportunities are found, cybercriminals insert a customized Javascript payment overlay for the specific site; essentially inserting a fake credit card payment section.

Willem de Groot from Sanguine Security told Computer Business Review: “This is the largest number of breaches [of] stores over a 24-hour period, which implies that their operation is highly automated. Victims are from all over the world, so were likely chosen opportunistically.”

He added: “I am still waiting for logs to accurately say how they got compromised, but at first glance it appears to be a PHP object injection exploit for an existing vulnerability.”

Magecart Attacks are Rampant

Among the most high-profile victims: British Airways, which had 380,000 customers’ payment details stolen in a card skimming attack last August (2018).

US-based threat research firm RiskIQ says it has identified seven core Magecart groups; an umbrella term for threat groups using a range of card skimmers.

RiskIQ identified the groups by analysing unique sets of infrastructure (pools of IP addresses, domains and specific server setup fingerprints); skimmers (unique obfuscation techniques and loading strategies) and targeting (each uses different methods to reach their victims).

It detailed a sprawling array of card skimmers using different techniques, including sophisticated counter-surveillance: one registers domains mimicking ad providers, analytics providers, victim’s domains, and anything else that can be used to hide in plain sight, for example, trying to blend in with normal network traffic by changing file paths to image file extensions instead of normal JavaScript extensions.

Read this: Magecart’s 7 Groups: Hackers Dropping Counter-Intelligence Code in JavaScript Skimmers

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU