Magecart hackers targets online shopping sites, uses a tactic called web skimming to steal credit card information from e-commerce websites.
Most client-side security tools would be unable to detect or block the skimmer, so this technique is intriguing.
The new attack, however, is a little different in that the skimmer code is dynamically added to the merchant site at the server level.
The PHP-based web shell malware disguises as a favicon (“Magento.png”), and it infects websites by tampering with shortcut icon tags in HTML code to point to a fake PNG image file.
The next-stage payload is retrieved from an external server, a credit card skimmer, via this web shell.
Based on similarities in strategies, methods, and procedures, the new initiative has been attributed to Magecart Group 12.
Malwarebytes also pointed out that the newest domain name they discovered (zolo[.]pw) is hosted on the same IP address (217.12.204[.]185 as recaptcha-in[.]pw and google-statik[.]pw, both of which were previously linked to Magecart Group 12.
Magecart hackers have used a variety of attack tactics to avoid detection and exfiltrate data over the last few months.
You might also like: Health Service Executive IT system shut down suffers a major ransomware attack