Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

MageCart Launches Customizable Campaign

A tool new to MageCart bolsters the group's ability to evade detection and steal data.

MageCart, a loose group of individuals and organizations that specializes in JavaScript information skimmers used to compromise commercial websites, has a new offering for it customers — one that carries new dangers for website owners and customers.

According to researchers at Fortinet, MageCart is now licensing Inter. According to Inksit Threat Analysis, "Inter is a JS Sniffer (credit card sniffer) that Sochi has sold on Exploit forum since December 2, 2018. One license of Inter costs $1,300, which includes the sniffer (payload), a user manual, 24/7 customer support, and free updates."

MageCart is offering Inter as a highly customizable payload along with JavaScript loaders and bundles of software that can ensure the malicious payload isn't being executed in a debugger or sandbox.

One of the campaign's unique qualities, according to Fortinet's report, is that the software injects a fake card payment form on a targeted Web page and skims a victim's entered card information, whether or not the page is a checkout form. This means the skimmer can be brought into the customer experience much earlier.

Changing the skimmer's point in the process also means it might be able to avoid some security software intended to catch it on the checkout page. An additional feature helps Inter avoid detection by hiding the stolen information in plain site.

The Fortinet researchers show that the MageCart-customized version of Inter creates an "IMG" element — an image element often used on Web pages — and then puts the exfiltrated data as a parameter of the image.

Neither Inter nor MageCart are new. What is new is the criminal group's use of this customizable, widely available tool. In the conclusion of their report, Fortinet researchers predict the success of the campaign means other groups are more likely to adopt Inter as well.

Related Content:

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
OSUJJONES
100%
0%
OSUJJONES,
User Rank: Apprentice
7/2/2019 | 12:20:49 PM
Re: Card Validation
www.SourceDefense.com has come up with a unique way to solve this problem by taking away DOM access to the supply chain.  By doing this you can no longer insert anything on to the browser which elimitates the Magecart attack at the browser level which is the flaw and how these attacks happen.  V.I.C.E. is the name of the technology and is worth looking into if you are concerned about Magecart or really anyone having access to your customers data at the browser both credit card as well as privacy information.   
tdsan
50%
50%
tdsan,
User Rank: Ninja
6/30/2019 | 2:39:56 PM
Re: Card Validation
I do apologize if I was not clear, I was saying from a hypothetical standpoint, if we put together a DB that is populated from the various banks and credit card agencies, we could stop the fraud at the very beginning. The dark we was presented only to provide insight that this can be done, we could even use their model as a way of creating something that spans multiple banking organizations (across the globe).

Todd
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/30/2019 | 10:31:41 AM
Re: Card Validation
Ah ok so your reference was to the dark web. Makes sense. For this to become more operational a DB to pull directly from the Dark Web stolen credit cards would need to be created. This has its own inherent risks.

Would be a nice lot of information to thave though.
tdsan
50%
50%
tdsan,
User Rank: Ninja
6/30/2019 | 8:17:25 AM
Re: Card Validation
Currently, a legal DB does not exist (most are found illegally), this was more of a hypothetical (this was more a question to the group); if something like this did exist, then we could query this data to help identify fraud before accepting the stolen credit card application (cutting them off at the pass).

However, there are databases on the web with stolen credit cards, this is part of the dark web:

https://miro.medium.com/max/700/1*TGI_cGlmblJk4UemaYFqYA.png

RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/30/2019 | 7:46:45 AM
Re: Card Validation
Database of Stolen cards. Just curious, does this actually exist? I hadn't heard of an agnostic list of confirmed stolen credit cards.

Regardless, if it does exist it would be a race condition from when the card was stolen and when it was added to the database. If the malformed checkout form was sent before the DB add then there would be no checks against it.
tdsan
50%
50%
tdsan,
User Rank: Ninja
6/29/2019 | 9:26:43 AM
Card Validation
One of the campaign's unique qualities, according to Fortinet's report, is that the software injects a fake card payment form on a targeted Web page and skims a victim's entered card information, whether or not the page is a checkout form. This means the skimmer can be brought into the customer experience much earlier.
  • Wouldn't it be prudent to check if the card has been stolen by querying a database of stolen cards submitted by the bank or card processing companies? This would reduce the use of stolen cards and mitigate this fraudulent activity.
  • Also, if a fake card form is submitted, shouldn't that form be held up during the approval process before it goes to the next step or remain external to the organization until the form's information has been verified (text or phone call)?

Just curious.

Todd
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20391
PUBLISHED: 2020-01-22
An invalid memory access flaw is present in libyang before v1.0-r3 in the function resolve_feature_value() when an if-feature statement is used inside a bit. Applications that use libyang to parse untrusted input yang files may crash.
CVE-2019-20392
PUBLISHED: 2020-01-22
An invalid memory access flaw is present in libyang before v1.0-r1 in the function resolve_feature_value() when an if-feature statement is used inside a list key node, and the feature used is not defined. Applications that use libyang to parse untrusted input yang files may crash.
CVE-2019-20393
PUBLISHED: 2020-01-22
A double-free is present in libyang before v1.0-r1 in the function yyparse() when an empty description is used. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.
CVE-2019-20394
PUBLISHED: 2020-01-22
A double-free is present in libyang before v1.0-r3 in the function yyparse() when a type statement in used in a notification statement. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.
CVE-2019-20395
PUBLISHED: 2020-01-22
A stack consumption issue is present in libyang before v1.0-r1 due to the self-referential union type containing leafrefs. Applications that use libyang to parse untrusted input yang files may crash.