An attacker under the Magecart umbrella has infected an unknown number of e-commerce sites in the US, UK, and five other countries with malware for skimming credit card numbers and personally identifiable information (PII) belonging to people making purchases on these sites. But in a new wrinkle, the threat actor is also using the same sites as hosts for delivering the card-skimming malware to other target sites.

Researchers from Akamai who spotted the ongoing campaign note that this not only makes the campaign different from prior Magecart activity, but it's also much more dangerous.

They assess that the cyberattacks have been going on for at least one month and have potentially affected tens of thousands of people already. Akamai said that in addition to the US and UK, it has spotted websites affected by the campaign in Brazil, Spain, Estonia, Australia, and Peru.

Payment Card Theft & More: A Double Compromise

Magecart is a loose collective of cybercriminal groups involved in online payment card-skimming attacks. Over the past several years, these groups have injected their namesake card skimmers into tens of thousands of sites worldwide — including sites such as TicketMaster and British Airways —and stolen millions of credit cards from them, which they have then monetized in different ways. 

Akamai counted Magecart attacks on 9,200 e-commerce sites last year, of which 2,468 remained infected as of the end of 2022.

The typical modus operandi for these groups has been to surreptitiously inject malicious code into legitimate e-commerce sites — or into third-party components such as trackers and shopping carts — that the sites use, by exploiting known vulnerabilities. When users enter credit card information and other sensitive data on the checkout page of compromised websites, the skimmers silently intercept the data and send it to a remote server. So far, attackers have primarily targeted sites running the open source Magento e-commerce platform in Magecart attacks.

The latest campaign is slightly different in that the attacker is not just injecting a Magecart card skimmer into target sites but is also hijacking many of them to distribute malicious code. 

"One of the primary advantages of utilizing legitimate website domains is the inherent trust that these domains have built over time," according to the Akamai analysis. "Security services and domain scoring systems typically assign higher trust levels to domains with a positive track record and a history of legitimate use. As a result, malicious activities conducted under these domains have an increased chance of going undetected or being treated as benign by automated security systems."

In addition, the attacker behind the latest operation has also been attacking sites running not just Magento but other software, such as WooCommerce, Shopify, and WordPress.

A Different Approach, Same Outcome

"One of the most notable parts of the campaign is the way the attackers set up their infrastructure to conduct the web skimming campaign," Akamai researcher Roman Lvovsky wrote in the blog post. "Before the campaign can start in earnest, the attackers will seek vulnerable websites to act as 'hosts' for the malicious code that is used later on to create the web skimming attack."

Akamai's analysis of the campaign showed the attacker using multiple tricks to obfuscate the malicious activity. For example, instead of injecting the skimmer directly into a target website, Akamai found the attacker injecting a small JavaScript code snippet into its webpages that then fetched the malicious skimmer from a host website. 

The attacker designed the JavaScript loader to look like Google Tag Manager, Facebook Pixel tracking code, and other legitimate third-party services, so it becomes hard to spot. The operator of the ongoing Magecart-like campaign also has been using Base64 encoding to obfuscate the URLs of compromised websites hosting the skimmer. 

"The process of exfiltrating the stolen data is executed through a straightforward HTTP request, which is initiated by creating an IMG tag within the skimmer code," Lvovsky wrote. "The stolen data is then appended to the request as query parameters, encoded as a Base64 string."

As a sophisticated detail, Akamai also found code in the skimmer malware that ensured it did not steal the same credit card and personal information twice.