Magecart is a term that unites several cybercriminal groups that specialize in implementing scripts to steal bankcard data in payment forms from the websites. They are responsible for attacks on companies such as Amerisleep, MyPillow, Ticketmaster, British Airways, OXO and Newegg.
Recently, researchers uncovered a malicious campaign in which attackers successfully hacked 962 e-commerce sites.
Attackers use internationalized domain names (IDN) to mask servers that host malicious content in order to hide traffic from malicious domains under packages delivered from legitimate sites.
Using IDN to mask a server is one of the popular tactics used by attackers in fishing campaigns.
Since there are certain characters that can look very similar, but have different ASCII codes (for example, “a” in Cyrillic and a Latin letter “a”), an attacker can “fake” the URL of a web page. Instead of moving to a legitimate website, users can be redirected to a malicious portal identical to the real one. This way criminals can collect personal or financial information and then use and/or sell it.
One of the distinctive features of the skimmer used in the new Magecart attacks is the ability automatically change its behavior if the site opens in Google Chrome or Mozilla Firefox browsers. In this case, in order to avoid detection, the skimmer will not send the collected data to the C&C server.
The Magecart skimmer script also supports dozens of payment gateways, indicating that criminals are thoroughly prepared for this campaign, say Sucuri experts.
How to protect yourself?
Credit card skimmers are not a new phenomenon. To protect your ecommerce website, we strongly encourage Magento site owners to install the latest security patches as soon as they become available. If you are unable to update your site, you can leverage a web application firewall to virtually patch any vulnerabilities.
User Review( votes)