Let me remind you that initially the name MageCart was assigned to one hack group, which was for the first time used web skimmers (malicious JavaScript) on the pages of online stores to steal bank card data.

However, this approach was so successful that soon the group had numerous imitators, and the name MageCart became a common name, and currently denoting a whole class of such attacks.

Sansec analysts have identified the new malware in dozens of stores across different platforms. The malware steals payment information by displaying a fake checkout page (before customers see the actual payment form) and also uses a keylogger for card data and personal information.

To avoid detection, the skimmer displays an error after customers click the Continue button to provide the store with their credit card information. After that, the victims will be redirected back to the real ordering and payment form.

The method of data extraction used by the skimmer is also remarkable. Attackers use for this purpose automatically generated domains based on counter and base64 (for example, zg9tywlubmftzw5ldza[.]com and zg9tywlubmftzw5ldze[.]com). This feature helped researchers understand how long this campaign has been active: the first domain for data extraction was registered on August 31, 2020.

Let me also remind you that Hackers hide MageCart skimmers in social media buttons.

The post New web skimmer found in Shopify, BigCommerce, Woocommerce and Zencart stores appeared first on Gridinsoft Blog.

Let me remind you that initially the name MageCart was assigned to one hack group, which was the first to introduce web skimmers (malicious JavaScript) on the pages of online stores to steal bank card data. Surprisingly, this approach turned out to be so successful that the group soon had numerous imitators, the name MageCart became a household name, and now it is assigned to all the class of such attacks.

Steganography means hiding information within another format (for example, text within images, images within videos, and so on).

Operators of web skimmers also did not stay away from this trend and hid their malicious code in website logos, product images or in the favicon of the infected resources.

Now, Sanguine Security experts write that SVG files, rather than PNG or JPG files, are used in new attacks to hide malicious code. Most likely, this is due to the fact that recently, protective solutions have become better at detecting skimmers in ordinary pictures.

In theory, it should be easier to detect malicious code in vector images. However, the researchers write that attackers are smart and designed their payload with these nuances in mind.

According to experts, hackers tested this technique back in June, and it was discovered on active e-commerce sites in September, with malicious payloads hidden inside buttons designed to publish content on social networks (Google, Facebook, Twitter, Instagram, YouTube, Pinterest etc).

In infected stores, as soon as users navigated to the checkout page, a secondary component (called a decoder) reads the malicious code hidden inside social media icons and then downloaded a keylogger that would capture and steal bank card information from the checkout form.

What could be next, I told, for example, in a note: Magecart groupings extract stolen cards data via the Telegram.

The post Hackers hide MageCart skimmers in social media buttons appeared first on Gridinsoft Blog.

He concluded this based on information obtained by Sansec, which specializes in combating digital skimming and Magecart attacks.

Let me remind you that initially the name MageCart was assigned to one hack group, which was the first to introduce web skimmers (malicious JavaScript) on the pages of online stores to steal bankcard data.

“Such an approach was so successful that the group soon had numerous imitators, and the name MageCart became a common name, and now it refers to a whole class of such attacks”, – remind history specialists of the information security company RiskIQ.

If in 2018 RiskIQ researchers identified 12 such groups, then by the end of 2019, according to IBM, there were already about 40 of them.

The researcher studied one of these malicious JavaScript and noticed that it collects all data from the input fields filled by victims and sends it to Telegram.

All transmitted information is encrypted using a public key, and having received it, a special Telegram bot sends the stolen data to the chat in the form of ordinary messages.

Affable Kraut notes that this method of data theft, apparently, is very effective, but it has a significant disadvantage: anyone who has a token for a Telegram bot can take control of the process.

Malwarebytes’ leading researcher, Jérôme Segura, was also interested in the script, and after examining it, he said that the author of this web skimmer used a simple Base64 for the bot ID, Telegram channel and API requests. Below you can see the diagram left by Segura and describing the entire attack process.

The researcher notes that data theft occurs only if the current URL in the browser contains one of the keywords indicating that this is an online store, and only when the user confirms the purchase. The payment details will then be sent to both the payment processor and the cybercriminals.

Jerome Segura writes that such a data extraction mechanism is a very practical solution, because it allows attackers not to worry about creating a special infrastructure for these purposes. In addition, it will not be easy to defend against this type of skimmer. Blocking Telegram connections will be only a temporary solution, since then the attackers can start using another legitimate service, which will also mask the “leak” of data.

Segura writes that such data extraction mechanism is a very practical solution, because it allows attackers not to worry about creating a special infrastructure for these purposes. In addition, it will not be easy to defend against this type of skimmer. Blocking Telegram connections will be only a temporary solution, since then the attackers can start using another legitimate service, which will also mask the “leak” of data.

Let me remind you that scientists have developed an attack that allows not to enter a PIN code while paying with Visa cards.

The post Magecart groupings extract stolen cards data via Telegram appeared first on Gridinsoft Blog.