A brand new type of malware named Magecart has hit more than 100 online stores over the past days. The malware secretly logs data entered on checkout pages and sends it to the hacker’s server after that.
The new malware came out in March, this year, however, the first infections were registered in May at high-profile online stores.
By the end-June 2016, Sucuri had stumbled upon a Magecart version which used the Braintree Magento extension to support payments via the Braintree platform.
That was one facet of the Magecart attack, which companies like RiskIQ and ClearSky continued to track across multiple online shopping platforms and infections.
According number two, since March, the hackers behind the Magecart have improved their capabilities, refining their malicious scripts in order to work across platforms such as Magento, OpenCart, and the Powerfront CMS.
Magecart malware is just a JavaScript file added to a compromised website’s source code. Usually, this happens when the hacker exploits a vulnerability in the CMS platform or the server itself. As soon as the attacker has access to the CMS platform or the underlying server, he adds his malicious code to the websites’ source code.
Magecart infections take place in a two-stage process. First, the script checks if the user is on the checkout page. Only when the user reaches URLs specific to each platform’s checkout page does the Magecart script move to the second stage, where it loads the actual keylogger component.
The second-stage component is another JS script, meant to log what the user enters in form fields and send the collected data to a remote server under the hacker’s control.
The two scripts are loaded from domains which change from infection to infection, showing that cyber criminals know how to hide their traces. All scripts load via HTTPS, and the data is exfiltrated via HTTPS.
If the checkout form doesn’t collect all the information the hacker wants, Magecart can add input fields to the website’s checkout form to in order to get all the data the attacker craves.
According to RiskIQ, Magecart can steal data from online stores which handle their own payment processing operations, or when they leave this to specialized payment solutions.
RiskIQ claims that Magecart was able to steal credit card information from websites that used the Braintree Magento extension or handled payments via VeriSign.
Among the most popular companies which suffered Magecart infections via their online stores are Everlast and Faber & Faber.
At this point, the easiest way to protect your machine against Magecart infections is to use complex admin credentials and to keep server and CMS software updated at all times.
