MageCart Reinfects 20% of Compromised Websites

Delaware, USA – November 16, 2018 – Security researcher Willem de Groot published statistics on MageCart attacks over the previous three months, which shows that threat actor reinfects every fifth online shop. Since August, adversaries have compromised 5,400 websites and injected skimmers on them, including successful attacks on British Airways, the web push notifications service Feedify (which was infected twice in three months) and broadcasting giant ABS-CBN. Many websites were infected through a compromised Shopper Approved plug-in and 21 Magento extensions. More than 1000 shops were reinfected within 24 hours after the malicious code was removed. According to statistics collected, MageCart skimmers gathers customers card data on average for 12.7 days, while the group reinfects compromised sites within 10.5 days. Some sites were re-infected more than 10 times. This happens because it is often challenging to determine how a site was compromised, and attackers embed backdoors or rogue admin accounts on the site. In addition, there are cases of the use of zero-day exploits and the use of hidden periodic tasks to reinstate the skimmer.

A recently published report from RiskIQ and Flashpoint details the activities of the major groups united under the collective name ‘MageCart’. The report also describes each group’s skimmers, tactics, targets and victims. Over the past six months, attacks have become more sophisticated and frequent. To timely detect attempts to compromise a website and install a backdoor or inject malicious code, you can use your ArcSight with the Web Application Framework rule pack: