Researchers at Trend Micro and RiskIQ have pulled the curtain away from a new Magecart sub-group that managed to insert card skimmer code into more than 200 companies by using a third-party vendor as an unwitting accomplice.
The new malicious team, tagged Magecart Group 12, managed to inject their malware into the JavaScript library of the French online advertising firm Adverline, Trend Micro wrote. The code, which has since been removed, eventually found its way onto 277 e-commerce sites hosting ticketing, touring, and flight booking services as well as self-hosted shopping cart websites from prominent cosmetic, healthcare, and apparel brands.
“This enables all websites embedded with the script to load the skimming code. Targeting third-party services also helps expand their reach, allowing them to steal more data,” Trend Micro reported, adding,” In Adverline’s case, code was injected into a JavaScript library for retargeting advertising. It’s an approach used by e-commerce websites where visitors are tagged so they can be delivered specific ads that could attract them back to the websites.”
This differs from a conventional Magecart attack where the code was slipped directly into the e-commerce site. Ticketmaster and British Airways were among the companies which suffered from Magecart in 2018.
Magecart Group 12 was found to use a skimming toolkit with two obfuscated scripts. The first is primarily for anti-reversing while the second is the main data-skimming code. To be sure the code remains pure a code integrity check is done and the malware continuously cleans the browser debugger console messages to deter detection and analysis, RiskIQ and Trend Micro found.
The skimmer spread by Adverline first checked to see if it was in a shopping cart by looking at the URL and searching for specific words, like checkout, billing or purchase. In this specific case the malware was searching for those words in French and German indicating consumers in those countries were being targeted. If any of the words are detected it begins skimming and copies all the information typed into the online form and stores it in JavaScript LocalStorage with the key name “cache” is Base64-encoded and assigned a random number.
The data is then sent to a remote server through HTTP POST.
RiskIQ also had some general information on Magecart Group 12 itself.
Group 12 built out its infrastructure in September 2018; domains were registered, SSL certificates were set up through LetsEncrypt, and the skimming backend was installed,” the firm reported.