New Magento Skimmer by MageCart Group

Delaware, USA – July 29, 2019 – Cybercriminals install a new Magento skimmer on compromised websites that downloads malicious JavaScript from the Google-like internationalized domain name. The skimmer was discovered by Sucuri researchers and during the analysis, they also found new evasion capabilities of the script. In this case, the attackers registered google-analytîcs[.]com, in the hope that the user will not pay attention to JavaScript downloaded from a “trusted” source. Magento skimmer like other similar scripts of MageCart groups is designed to collect payment card data and send it to attackers’ server. Of the innovations, it should be noted that the behavior of the skimmer changes depending on whether the developer tools are used in the browser. If they are used, the script does not attempt to steal the data. Perhaps due to this feature, the script avoided detection for some time. The attackers used another Google-associated domain – google[.]ssl[.]lnfo[.]cc as a server to collect data.

Using IDN to disguise a server is one of the popular tactics used by attackers in phishing campaigns, but MageCart groups have not previously resorted to using it. Researchers have recorded an increase in the number of attacks on Magento stores that exploit known vulnerabilities to compromise websites. After gaining access, attackers often install backdoors to reinfect site in case of detection of the skimmer. You can monitor the security of your websites and services that face public internet, you can use SIEM rule pack available on Threat Detection Marketplace: https://my.socprime.com/en/integrations/web-application-security-framework-arcsight