A new Magecart campaign is making waves

Malwarebytes’ researchers are closely monitoring web skimmers and have noticed that one of the infamous Magecart groups is causing a rise in the number of attacks while gobbling up over a quarter of the total number of attacks in one campaign.

Magecart attacks have increased in the past 30 days in part due to a campaign via naturalfreshmall[.]com (https://t.co/yvruo8NbuR)

About 28% of all skimmer blocks from our Malwarebytes customers are tied to this domain. pic.twitter.com/S1Zha5cICk

— Malwarebytes Threat Intelligence (@MBThreatIntel) February 9, 2022

What all these attacks have in common is the domain where the malicious javascript is hosted: naturalfreshmall.com. Additional research by Sansec shows a mass breach of stores running the Magento 1 ecommerce platform that can be tied to this campaign.

More than 350 ecommerce stores infected with malware in a single day.

Today our global crawler discovered 374 ecommerce stores infected with the same strain of malware. 370 of these stores load the malware via https://naturalfreshmall[.]com/image/pixel[.]js.

— Sansec (@sansecio) January 25, 2022

Magento

Magento is an Adobe company that offers a hosted and self-hosted content management system (CMS) for web shops. The free version of Magento is open source which offers users the option to make their own changes and allows specialists to create extensions for the CMS.

Magento 1 has reached end-of-life (EOL) and has not been supported since June 30, 2020. However, the platform is still in use by thousands of online stores. And because there’s a lack of security patches from Adobe, some are using community-provided patches. As you can imagine, the lack of vendor provided patches makes stores running Magento 1 popular victims for skimmers like Magecart.

Magecart

Magecart was originally one group that was partly named after the platform they concentrated on (Magento). But Magecart is no longer just one threat actor. We’ve seen several groups that are all specialized in cyberattacks involving digital credit card theft by skimming online payment forms. Magecart mainly targets e-commerce websites, aiming to inject JavaScript skimmers on checkout pages.

From a research standpoint, we have observed certain shifts in the scope of attacks. For instance, different threat actors are continuing to expand and diversify their methods and infrastructure. In a blog post about Magecart Group 8, we documented some of the web properties used to serve skimmers and exfiltrate stolen data.

In recent news we reported about the Segway online store that was compromised by Magecart group 12 who embedded the skimmer code inside a favicon.ico file.

The attack

According to the Sansec research the skimmers abused a known leak in the Quickview plugin that is typically used to inject rogue Magento admin users. In this case, the skimmers used it to add a validation rule that they could later trigger by registering as a customer. In investigated cases the attacker left no less than 19 backdoors on the system.

Keeping your site safe

We have written an extensive post about how to defend your website against skimmers, but in summary, here’s what you need to do to keep your site safe:

  • Make sure that the systems from where the site is administered are clean of malware.
  • Use strong passwords and do not reuse them.
  • Limit the number of administrators.
  • Keep your site’s software updated.
  • Use a Web Application Firewall (WAF).
  • Know that each dependency is a potential backdoor into your web pages.
  • Use a Content Security Policy (CSP).
  • Make sure you are made aware in case of problems, either by checking yourself or by having it done for you.

Stay safe, everyone!

The post A new Magecart campaign is making waves appeared first on Malwarebytes Labs.

Article Link: A new Magecart campaign is making waves