Magecart Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/magecart/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Tue, 06 Dec 2022 17:30:00 +0000 en-US hourly 1 https://wordpress.org/?v=93462 200474804 New web skimmer found in Shopify, BigCommerce, Woocommerce and Zencart stores https://gridinsoft.com/blogs/new-web-skimmer-found-in-shopify-bigcommerce-woocommerce-and-zencart-stores/ https://gridinsoft.com/blogs/new-web-skimmer-found-in-shopify-bigcommerce-woocommerce-and-zencart-stores/#respond Tue, 29 Dec 2020 16:30:30 +0000 https://blog.gridinsoft.com/?p=4897 Sansec experts have discovered a new multi-platform MageCart skimmer capable of stealing payment information from compromised stores. The web skimmer works in Shopify, BigCommerce, Zencart and Woocommerce stores (even if they don’t support custom scripts for checkout pages). Let me remind you that initially the name MageCart was assigned to one hack group, which was… Continue reading New web skimmer found in Shopify, BigCommerce, Woocommerce and Zencart stores

The post New web skimmer found in Shopify, BigCommerce, Woocommerce and Zencart stores appeared first on Gridinsoft Blog.

]]>
Sansec experts have discovered a new multi-platform MageCart skimmer capable of stealing payment information from compromised stores. The web skimmer works in Shopify, BigCommerce, Zencart and Woocommerce stores (even if they don’t support custom scripts for checkout pages).

Let me remind you that initially the name MageCart was assigned to one hack group, which was for the first time used web skimmers (malicious JavaScript) on the pages of online stores to steal bank card data.

However, this approach was so successful that soon the group had numerous imitators, and the name MageCart became a common name, and currently denoting a whole class of such attacks.

Typically, web skimmers target one e-commerce platform, but the new researchers’ finding works differently.say Sansec experts.

Sansec analysts have identified the new malware in dozens of stores across different platforms. The malware steals payment information by displaying a fake checkout page (before customers see the actual payment form) and also uses a keylogger for card data and personal information.

web skimmer in Shopify stores
Fake form of payment

To avoid detection, the skimmer displays an error after customers click the Continue button to provide the store with their credit card information. After that, the victims will be redirected back to the real ordering and payment form.

web skimmer in Shopify stores

The method of data extraction used by the skimmer is also remarkable. Attackers use for this purpose automatically generated domains based on counter and base64 (for example, zg9tywlubmftzw5ldza[.]com and zg9tywlubmftzw5ldze[.]com). This feature helped researchers understand how long this campaign has been active: the first domain for data extraction was registered on August 31, 2020.

To summarize, this campaign shows that different platforms are not an obstacle to profitable online skimming fraud. Wherever customers enter their payment details, they are at risk.summarize the experts.

Let me also remind you that Hackers hide MageCart skimmers in social media buttons.

The post New web skimmer found in Shopify, BigCommerce, Woocommerce and Zencart stores appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/new-web-skimmer-found-in-shopify-bigcommerce-woocommerce-and-zencart-stores/feed/ 0 4897
Hackers hide MageCart skimmers in social media buttons https://gridinsoft.com/blogs/hackers-hide-magecart-skimmers-in-social-media-buttons/ https://gridinsoft.com/blogs/hackers-hide-magecart-skimmers-in-social-media-buttons/#respond Mon, 07 Dec 2020 20:59:50 +0000 https://blog.gridinsoft.com/?p=4824 Sanguine Security analysts discovered that hackers are using steganography and hiding MageCart skimmers in buttons designed to post content to social media. Let me remind you that initially the name MageCart was assigned to one hack group, which was the first to introduce web skimmers (malicious JavaScript) on the pages of online stores to steal… Continue reading Hackers hide MageCart skimmers in social media buttons

The post Hackers hide MageCart skimmers in social media buttons appeared first on Gridinsoft Blog.

]]>
Sanguine Security analysts discovered that hackers are using steganography and hiding MageCart skimmers in buttons designed to post content to social media.

Let me remind you that initially the name MageCart was assigned to one hack group, which was the first to introduce web skimmers (malicious JavaScript) on the pages of online stores to steal bank card data. Surprisingly, this approach turned out to be so successful that the group soon had numerous imitators, the name MageCart became a household name, and now it is assigned to all the class of such attacks.

Steganography means hiding information within another format (for example, text within images, images within videos, and so on).

In recent years, the most common form of steganographic attacks has been hiding malicious payloads within image files, usually in PNG or JPG formats. Sanguine Security researchers tell.

Operators of web skimmers also did not stay away from this trend and hid their malicious code in website logos, product images or in the favicon of the infected resources.

Now, Sanguine Security experts write that SVG files, rather than PNG or JPG files, are used in new attacks to hide malicious code. Most likely, this is due to the fact that recently, protective solutions have become better at detecting skimmers in ordinary pictures.

In theory, it should be easier to detect malicious code in vector images. However, the researchers write that attackers are smart and designed their payload with these nuances in mind.

The malicious payload takes the form of an HTML “svg” element using the “path” element as a container for the payload. The payload itself is hidden using syntax that resembles the correct use of the “svg” element.says the experts' report.

According to experts, hackers tested this technique back in June, and it was discovered on active e-commerce sites in September, with malicious payloads hidden inside buttons designed to publish content on social networks (Google, Facebook, Twitter, Instagram, YouTube, Pinterest etc).

In infected stores, as soon as users navigated to the checkout page, a secondary component (called a decoder) reads the malicious code hidden inside social media icons and then downloaded a keylogger that would capture and steal bank card information from the checkout form.

What could be next, I told, for example, in a note: Magecart groupings extract stolen cards data via the Telegram.

The post Hackers hide MageCart skimmers in social media buttons appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hackers-hide-magecart-skimmers-in-social-media-buttons/feed/ 0 4824
Magecart groupings extract stolen cards data via Telegram https://gridinsoft.com/blogs/magecart-groupings-extract-stolen-cards-data-via-telegram/ https://gridinsoft.com/blogs/magecart-groupings-extract-stolen-cards-data-via-telegram/#respond Fri, 04 Sep 2020 16:12:42 +0000 https://blog.gridinsoft.com/?p=4259 An information security specialist known under the pseudonym Affable Kraut discovered that Magecart web skimmer operators extract stolen cards data through Telegram channels. He concluded this based on information obtained by Sansec, which specializes in combating digital skimming and Magecart attacks. Let me remind you that initially the name MageCart was assigned to one hack… Continue reading Magecart groupings extract stolen cards data via Telegram

The post Magecart groupings extract stolen cards data via Telegram appeared first on Gridinsoft Blog.

]]>
An information security specialist known under the pseudonym Affable Kraut discovered that Magecart web skimmer operators extract stolen cards data through Telegram channels.

He concluded this based on information obtained by Sansec, which specializes in combating digital skimming and Magecart attacks.

Let me remind you that initially the name MageCart was assigned to one hack group, which was the first to introduce web skimmers (malicious JavaScript) on the pages of online stores to steal bankcard data.

“Such an approach was so successful that the group soon had numerous imitators, and the name MageCart became a common name, and now it refers to a whole class of such attacks”, – remind history specialists of the information security company RiskIQ.

If in 2018 RiskIQ researchers identified 12 such groups, then by the end of 2019, according to IBM, there were already about 40 of them.

The researcher studied one of these malicious JavaScript and noticed that it collects all data from the input fields filled by victims and sends it to Telegram.

Magecart extract card data

All transmitted information is encrypted using a public key, and having received it, a special Telegram bot sends the stolen data to the chat in the form of ordinary messages.

Magecart extract card data

Affable Kraut notes that this method of data theft, apparently, is very effective, but it has a significant disadvantage: anyone who has a token for a Telegram bot can take control of the process.

Malwarebytes’ leading researcher, Jérôme Segura, was also interested in the script, and after examining it, he said that the author of this web skimmer used a simple Base64 for the bot ID, Telegram channel and API requests. Below you can see the diagram left by Segura and describing the entire attack process.

Magecart extract card data

The researcher notes that data theft occurs only if the current URL in the browser contains one of the keywords indicating that this is an online store, and only when the user confirms the purchase. The payment details will then be sent to both the payment processor and the cybercriminals.

Jerome Segura writes that such a data extraction mechanism is a very practical solution, because it allows attackers not to worry about creating a special infrastructure for these purposes. In addition, it will not be easy to defend against this type of skimmer. Blocking Telegram connections will be only a temporary solution, since then the attackers can start using another legitimate service, which will also mask the “leak” of data.

Segura writes that such data extraction mechanism is a very practical solution, because it allows attackers not to worry about creating a special infrastructure for these purposes. In addition, it will not be easy to defend against this type of skimmer. Blocking Telegram connections will be only a temporary solution, since then the attackers can start using another legitimate service, which will also mask the “leak” of data.

Let me remind you that scientists have developed an attack that allows not to enter a PIN code while paying with Visa cards.

The post Magecart groupings extract stolen cards data via Telegram appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/magecart-groupings-extract-stolen-cards-data-via-telegram/feed/ 0 4259