Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

MageCart Launches Customizable Campaign

A tool new to MageCart bolsters the group's ability to evade detection and steal data.

MageCart, a loose group of individuals and organizations that specializes in JavaScript information skimmers used to compromise commercial websites, has a new offering for it customers — one that carries new dangers for website owners and customers.

According to researchers at Fortinet, MageCart is now licensing Inter. According to Inksit Threat Analysis, "Inter is a JS Sniffer (credit card sniffer) that Sochi has sold on Exploit forum since December 2, 2018. One license of Inter costs $1,300, which includes the sniffer (payload), a user manual, 24/7 customer support, and free updates."

MageCart is offering Inter as a highly customizable payload along with JavaScript loaders and bundles of software that can ensure the malicious payload isn't being executed in a debugger or sandbox.

One of the campaign's unique qualities, according to Fortinet's report, is that the software injects a fake card payment form on a targeted Web page and skims a victim's entered card information, whether or not the page is a checkout form. This means the skimmer can be brought into the customer experience much earlier.

Changing the skimmer's point in the process also means it might be able to avoid some security software intended to catch it on the checkout page. An additional feature helps Inter avoid detection by hiding the stolen information in plain site.

The Fortinet researchers show that the MageCart-customized version of Inter creates an "IMG" element — an image element often used on Web pages — and then puts the exfiltrated data as a parameter of the image.

Neither Inter nor MageCart are new. What is new is the criminal group's use of this customizable, widely available tool. In the conclusion of their report, Fortinet researchers predict the success of the campaign means other groups are more likely to adopt Inter as well.

Related Content:

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
OSUJJONES
100%
0%
OSUJJONES,
User Rank: Apprentice
7/2/2019 | 12:20:49 PM
Re: Card Validation
www.SourceDefense.com has come up with a unique way to solve this problem by taking away DOM access to the supply chain.  By doing this you can no longer insert anything on to the browser which elimitates the Magecart attack at the browser level which is the flaw and how these attacks happen.  V.I.C.E. is the name of the technology and is worth looking into if you are concerned about Magecart or really anyone having access to your customers data at the browser both credit card as well as privacy information.   
tdsan
50%
50%
tdsan,
User Rank: Ninja
6/30/2019 | 2:39:56 PM
Re: Card Validation
I do apologize if I was not clear, I was saying from a hypothetical standpoint, if we put together a DB that is populated from the various banks and credit card agencies, we could stop the fraud at the very beginning. The dark we was presented only to provide insight that this can be done, we could even use their model as a way of creating something that spans multiple banking organizations (across the globe).

Todd
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/30/2019 | 10:31:41 AM
Re: Card Validation
Ah ok so your reference was to the dark web. Makes sense. For this to become more operational a DB to pull directly from the Dark Web stolen credit cards would need to be created. This has its own inherent risks.

Would be a nice lot of information to thave though.
tdsan
50%
50%
tdsan,
User Rank: Ninja
6/30/2019 | 8:17:25 AM
Re: Card Validation
Currently, a legal DB does not exist (most are found illegally), this was more of a hypothetical (this was more a question to the group); if something like this did exist, then we could query this data to help identify fraud before accepting the stolen credit card application (cutting them off at the pass).

However, there are databases on the web with stolen credit cards, this is part of the dark web:

https://miro.medium.com/max/700/1*TGI_cGlmblJk4UemaYFqYA.png

RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/30/2019 | 7:46:45 AM
Re: Card Validation
Database of Stolen cards. Just curious, does this actually exist? I hadn't heard of an agnostic list of confirmed stolen credit cards.

Regardless, if it does exist it would be a race condition from when the card was stolen and when it was added to the database. If the malformed checkout form was sent before the DB add then there would be no checks against it.
tdsan
50%
50%
tdsan,
User Rank: Ninja
6/29/2019 | 9:26:43 AM
Card Validation
One of the campaign's unique qualities, according to Fortinet's report, is that the software injects a fake card payment form on a targeted Web page and skims a victim's entered card information, whether or not the page is a checkout form. This means the skimmer can be brought into the customer experience much earlier.
  • Wouldn't it be prudent to check if the card has been stolen by querying a database of stolen cards submitted by the bank or card processing companies? This would reduce the use of stolen cards and mitigate this fraudulent activity.
  • Also, if a fake card form is submitted, shouldn't that form be held up during the approval process before it goes to the next step or remain external to the organization until the form's information has been verified (text or phone call)?

Just curious.

Todd
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13640
PUBLISHED: 2019-07-17
In qBittorrent before 4.1.7, the function Application::runExternalProgram() located in app/application.cpp allows command injection via shell metacharacters in the torrent name parameter or current tracker parameter, as demonstrated by remote command execution via a crafted name within an RSS feed.
CVE-2019-5222
PUBLISHED: 2019-07-17
There is an information disclosure vulnerability on Secure Input of certain Huawei smartphones in Versions earlier than Tony-AL00B 9.1.0.216(C00E214R2P1). The Secure Input does not properly limit certain system privilege. An attacker tricks the user to install a malicious application and successful ...
CVE-2019-1919
PUBLISHED: 2019-07-17
A vulnerability in the Cisco FindIT Network Management Software virtual machine (VM) images could allow an unauthenticated, local attacker who has access to the VM console to log in to the device with a static account that has root privileges. The vulnerability is due to the presence of an account w...
CVE-2019-1920
PUBLISHED: 2019-07-17
A vulnerability in the 802.11r Fast Transition (FT) implementation for Cisco IOS Access Points (APs) Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected interface. The vulnerability is due to a lack of complete error handling conditi...
CVE-2019-1923
PUBLISHED: 2019-07-17
A vulnerability in Cisco Small Business SPA500 Series IP Phones could allow a physically proximate attacker to execute arbitrary commands on the device. The vulnerability is due to improper input validation in the device configuration interface. An attacker could exploit this vulnerability by access...