960+ E-Commerce Stores Breached by MageCart Group in Twenty-Four Hours

Delaware, USA – July 8, 2019 – A Magecart group cranks out compromised websites injecting card skimming scripts to steal credit card data and personal info of customers. Last week, Sanguine Security discovered 962 websites with an installed skimmer, and all victims were compromised within 24 hours. For now, it is the largest automated attack organized by a MageCart group. Most of the targets are small online stores, but enterprise stores are also present among the victims. It is not yet known how hackers compromised websites; allegedly they scan websites for known vulnerabilities and then exploit them. At least some of the attacked shops did not install patches against PHP object injection exploits. The decoded skimmer used in this campaign is available on Willem de Groot’s GitHub repository.

Moreover, today it became known how much British Airways could pay for last year’s attack of a MageCart group on their website. The breach hit about 500,000 customers since the skimmer remained undetected for more than a month. Information Commissioner’s Office intends to fine British Airways £183.39M for GDPR violation. This large-scale attack marked the beginning of a series of high-profile compromises: Feedify, ABS-CBN, Newegg, OXO, Forbes. In addition to direct attacks on sites, adversaries compromised popular plugins and extensions. One of the ways to detect such attack at an early stage is to use SIEM with Web Application Security Framework rule pack, which helps to spot malicious activity and acts as an early warning system for the critical business applications that face public internet: https://my.socprime.com/en/integrations/web-application-security-framework-arcsight