A wave of cyberattacks against retailers running the Magento 1.x e-commerce platform earlier this September has been attributed to one single group, according to the latest research.
“This group has carried out a large number of diverse Magecart attacks that often compromise large numbers of websites at once through supply chain attacks, such as the Adverline incident, or through the use of exploits such as in the September Magento 1 compromises,” RiskIQ said in an analysis published today.
Collectively called Cardbleed, the attacks targeted at least 2,806 online storefronts running Magento 1.x, which reached end-of-life as of June 30, 2020.
Injecting e-skimmers on shopping websites to steal credit card details is a tried-and-tested modus operandi of Magecart, a consortium of different hacker groups who target online shopping cart systems.
These virtual credit card skimmers, also known as formjacking attacks, are typically JavaScript code that the operators stealthily insert into an e-commerce website, often on payment pages, with an intent to capture customers’ card details in real-time and transmit it to a remote attacker-controlled server.
But in the last few months, the Magecart operators have stepped up in their efforts to hide card stealer code inside image metadata and even carry out IDN homograph attacks to plant web skimmers concealed within a website’s favicon file.
Cardbleed, which was first documented by Sansec, works by using specific domains to interact with the Magento admin panel and subsequently leveraging the ‘Magento Connect’ feature to download and install a piece of malware called “mysql.php” that gets automatically deleted after the skimmer code is added to “prototype.js.”
Now, as per RiskIQ, the attacks bear all the hallmarks of a single group it tracks as Magecart Group 12 based on overlaps in infrastructure and techniques across different attacks starting with Adverline in January 2019 to the Olympics Ticket Resellers back in February 2020.
What’s more, the skimmer used in the compromises is a variant of the Ant and Cockroach skimmer first observed in August 2019 — so named after a function labeled “ant_cockcroach()” and a variable “ant_check” found in the code.
Interestingly, one of the domains (myicons[.]net) observed by the researchers also ties the group to another campaign in May, where a Magento favicon file was used to hide the skimmer on payment pages and load a fake payment form to steal captured information.
But just as the identified malicious domains are being taken down, Group 12 has been adept at swapping in new domains to continue skimming.
“Since the [Cardbleed] campaign was publicized, the attackers have shuffled their infrastructure,” RiskIQ researchers said. “They moved to load the skimmer from ajaxcloudflare[.]com, which has also been active since May and moved the exfiltration to a recently registered domain, consoler[.]in.”
If anything, the attacks are yet another indication of threat actors continuing to innovate, playing with different ways of carrying out skimming, and obfuscating their code to evade detection, said RiskIQ threat researcher Jordan Herman.
“The prompting for this research was the widespread compromise of Magento 1, which went end-of-life this June, sites via an exploit,” Herman said. “So the particular mitigation would be to upgrade to Magento 2, though the cost of upgrading might be prohibitive for smaller vendors.”
“There is also a company called Mage One that is continuing to support and patch Magento 1. They released a patch to mitigate the particular vulnerability exploited by the actor in late October. Ultimately, the best way to prevent these types of attacks is for e-commerce shops having a full inventory of the code running on their site so they can identify deprecated versions of software and any other vulnerabilities that could invite a Magecart attack,” he added.