Delaware, USA – October 10, 2018 — In mid-September, one of the groups behind the card-skimming campaign Magecart compromised the Shopper Approved plug-in and injected malicious code into it. RiskIQ researchers consider that there are at least six cybercriminal groups involved in the campaign, and the same group that attacked Ticketmaster in July of this year is responsible for injecting the code into the toolkit used by hundreds of e-commerce sites. Good news: attackers forgot to obfuscate the code when they injected it on the Shopper Approved server, so the researchers were able to quickly identify the source of the threat. 15 minutes later, attackers corrected their mistake, but it was too late. RiskIQ contacted Shopper Approved and helped to remove the card-skimming script from the plugin and sites of the company and its clients. Despite the popularity of the plug-in, due to the mistakes, the attack affected only a small part of the e-commerce sites, and this part of the campaign was aimed only at the websites with specific keywords in the URL and did not impact websites that did not include those keywords.
Websites often use CDN services for caching, and the malicious code can be cached and stay active there long after the code is removed from an attacked site. Magecart attacks become more frequent, and the code used by attackers grow in sophistication. Security researcher Willem de Groot found that malicious scripts now send to attackers information about IP, timezone and browser of a researcher, who tries to debug Magecart script. So far, it is not reliably known how adversaries gain access to pages, so precise monitoring is needed for the web resources of interest to cybercriminals. You can use Threat Detection Marketplace content to detect breach attempts and web resources misuse: https://my.socprime.com/en/integrations/web-application-security-framework-arcsight