Hackers Inject Shell Scripts into eCommerce Sites to Steal Credit Card Data

A recently discovered credit card theft operation, Magecart, has adopted an innovative approach by utilizing authentic websites as makeshift C2 servers. 

This strategy enables them to illicitly implant and conceal skimming malware within specific eCommerce websites.

During the checkout process, hackers execute a Magecart attack by breaching online stores and implanting malicious scripts designed to stealthily harvest the customers’ credit card details and personal information.

Large-scale & Long-term Attack

As per the diligent monitoring conducted by Akamai’s researchers on this particular campaign, numerous organizations in the subsequent countries have fallen victim to compromise:-

• The United States
• The United Kingdom
• Australia
• Brazil
• Peru
• Estonia

In addition, the cybersecurity firm highlights a noteworthy observation that many victims remained clueless to the fact that they had been compromised for more than a month, showing the covert nature of these attacks.

Web skimming attacks pose significant threats to organizations operating in the digital commerce realm, carrying the potential for substantial harm and adverse consequences.

The cybersecurity analysts at Akamai identified that threat actors had exploited several major platforms, and among them, we have mentioned the major ones:-

• Magento
• WooCommerce
• WordPress
• Shopify

Attack Infrastructure

A striking aspect of this campaign lies in the meticulous arrangement of the attackers’ infrastructure, specifically devised to orchestrate the web skimming campaign with remarkable efficacy.

In a strategic departure from conventional methods, instead of relying on their own command-and-control (C2) server, which could potentially raise suspicion as a malicious domain, the attackers adopt a different approach. 

By exploiting vulnerabilities or employing any available means, they infiltrate susceptible and legitimate websites, particularly small or medium-sized retail platforms, where they covertly embed their malicious code.

At its core, this campaign generates a dual impact, resulting in two distinct sets of victims, and here they are:-

• Host victims
• Web skimming victims

During their investigation, Akamai researchers identified a limited selection of websites functioning as the primary targets, all of which exclusively pertained to commerce-oriented platforms.

Exploited host websites are used as hosts for malicious code and subjected to a Magecart-style web skimming attack, leading to the theft of user information.

The attack’s stealthiness is enhanced by threat actors obfuscating the skimmer with Base64 encoding, concealing the host’s URL, and structuring it to resemble trusted third-party services like Google Tag Manager or Facebook Pixel, minimizing suspicion.

Through this approach, the attacker implements three distinct techniques aimed at evading detection and remaining undetected, and here they are mentioned below:-

The domain employed in the attack is obfuscated, rendering it challenging to trace and identify.

The loader is disguised as an authentic third-party script or vendor, hiding its true malicious intent.

By sourcing a substantial portion of the code from alternative origins, the attacker minimizes the volume of injected malicious code on the page, significantly diminishing the likelihood of detection.

Data Theft Analysis

The attacker uses obfuscation to impede debugging and research, deliberately making it difficult to understand the attack’s exact sequence, a practice widely adopted in various web skimming attacks that, in recent years, has become increasingly popular.

The first version is a highly obfuscated form that includes a customized list of CSS selectors specifically designed for each targeted site to capture customer PII and credit card information.

The second variant of the skimmer possessed lesser protection, inadvertently revealing key indicators within its code. 

These crucial clues allowed Akamai to effectively map the extent of the campaign’s impact and discover further victims.

Following the successful extraction of customers’ details, the skimmers transmit the stolen data to the server under the control of the threat actor. 

While this transmission is facilitated through an HTTP request meticulously crafted as an IMG tag nested within the skimmer.

Base64 encoding is used to obfuscate data during transmission, while website owners can prevent Magecart infections by securing admin accounts and updating CMS and plugins, and customers can reduce data exposure risk by utilizing the following methods:-

• Electronic payment methods
• Virtual cards
• Setting credit card charge limits

Recommendations

Here Below we have mentioned all the recommendations:-

• It is recommended that security professionals stay updated with the latest patches and enhance their security measures by incorporating a Web Application Firewall (WAF).
• Ensure the implementation of specialized security solutions that offer insights into the activities of scripts executed in web browsers and provide robust protection against client-side attacks.
• Ensure the thorough collection and vigilant monitoring of critical events and insightful data to enable prompt and efficient mitigation measures.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus