Magecart hackers have devised a new strategy for altering malware within comment blocks and disguising stolen credit card data in pictures in order to avoid detection.
Magecart is an umbrella title for several gangs of cybercriminals who target e-commerce websites with the purpose of stealing credit card details and selling them on the black market by injecting malicious JavaScript skimmers.
Security analysts identified tens of software skimming scripts after detecting millions of Magecart instances throughout time.
One strategy exploited by several Magecart groups in their attacks, according to researchers from security firm Sucuri, is the dumping of stolen credit card details into image files on the server.
The attackers later download the data via basic GET requests in the attacks monitored by experts, which avoids raising suspicion.
Sucuri experts discovered a couple of image files on the server that continued to be populated with chunks of base64 encoded data during an investigation.
Experts identified credit card and CVV numbers, billing addresses, expiration dates, and more after decoding the data to plain text.
Although attribution of the attack to a single threat actor is difficult, experts believe Magecart Group number 7 was involved due to similarities in TTPs associated with this group.
Furthermore, the attackers are alleged to have used a technique called concatenation, in which the code was merged with additional comment chunks, which does not functionally perform anything but adds a layer of obfuscation making it somewhat more difficult to identify.
Magecart hackers were also seen on the compromised website collecting credit card details in real-time, then storing the information to a fake style sheet file (.CSS) on the server and downloading it using a GET request.
“MageCart is an ever-growing threat to e-commerce websites,” concludes the report. “From the perspective of the attackers: the rewards are too large and consequences non-existent, why wouldn’t they? Literal fortunes are made stealing and selling stolen credit cards on the black market.”
You might also like:
Magecart hackers use PHP backdoor in website favicons
Mint Mobile data breach: Hackers accessed personal data
Hackers use new tricks to disable Macro security warnings in malicious Office files