Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

MageCart Launches Customizable Campaign

A tool new to MageCart bolsters the group's ability to evade detection and steal data.

MageCart, a loose group of individuals and organizations that specializes in JavaScript information skimmers used to compromise commercial websites, has a new offering for it customers — one that carries new dangers for website owners and customers.

According to researchers at Fortinet, MageCart is now licensing Inter. According to Inksit Threat Analysis, "Inter is a JS Sniffer (credit card sniffer) that Sochi has sold on Exploit forum since December 2, 2018. One license of Inter costs $1,300, which includes the sniffer (payload), a user manual, 24/7 customer support, and free updates."

MageCart is offering Inter as a highly customizable payload along with JavaScript loaders and bundles of software that can ensure the malicious payload isn't being executed in a debugger or sandbox.

One of the campaign's unique qualities, according to Fortinet's report, is that the software injects a fake card payment form on a targeted Web page and skims a victim's entered card information, whether or not the page is a checkout form. This means the skimmer can be brought into the customer experience much earlier.

Changing the skimmer's point in the process also means it might be able to avoid some security software intended to catch it on the checkout page. An additional feature helps Inter avoid detection by hiding the stolen information in plain site.

The Fortinet researchers show that the MageCart-customized version of Inter creates an "IMG" element — an image element often used on Web pages — and then puts the exfiltrated data as a parameter of the image.

Neither Inter nor MageCart are new. What is new is the criminal group's use of this customizable, widely available tool. In the conclusion of their report, Fortinet researchers predict the success of the campaign means other groups are more likely to adopt Inter as well.

Related Content:

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
OSUJJONES
100%
0%
OSUJJONES,
User Rank: Apprentice
7/2/2019 | 12:20:49 PM
Re: Card Validation
www.SourceDefense.com has come up with a unique way to solve this problem by taking away DOM access to the supply chain.  By doing this you can no longer insert anything on to the browser which elimitates the Magecart attack at the browser level which is the flaw and how these attacks happen.  V.I.C.E. is the name of the technology and is worth looking into if you are concerned about Magecart or really anyone having access to your customers data at the browser both credit card as well as privacy information.   
tdsan
50%
50%
tdsan,
User Rank: Ninja
6/30/2019 | 2:39:56 PM
Re: Card Validation
I do apologize if I was not clear, I was saying from a hypothetical standpoint, if we put together a DB that is populated from the various banks and credit card agencies, we could stop the fraud at the very beginning. The dark we was presented only to provide insight that this can be done, we could even use their model as a way of creating something that spans multiple banking organizations (across the globe).

Todd
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/30/2019 | 10:31:41 AM
Re: Card Validation
Ah ok so your reference was to the dark web. Makes sense. For this to become more operational a DB to pull directly from the Dark Web stolen credit cards would need to be created. This has its own inherent risks.

Would be a nice lot of information to thave though.
tdsan
50%
50%
tdsan,
User Rank: Ninja
6/30/2019 | 8:17:25 AM
Re: Card Validation
Currently, a legal DB does not exist (most are found illegally), this was more of a hypothetical (this was more a question to the group); if something like this did exist, then we could query this data to help identify fraud before accepting the stolen credit card application (cutting them off at the pass).

However, there are databases on the web with stolen credit cards, this is part of the dark web:

https://miro.medium.com/max/700/1*TGI_cGlmblJk4UemaYFqYA.png

RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/30/2019 | 7:46:45 AM
Re: Card Validation
Database of Stolen cards. Just curious, does this actually exist? I hadn't heard of an agnostic list of confirmed stolen credit cards.

Regardless, if it does exist it would be a race condition from when the card was stolen and when it was added to the database. If the malformed checkout form was sent before the DB add then there would be no checks against it.
tdsan
50%
50%
tdsan,
User Rank: Ninja
6/29/2019 | 9:26:43 AM
Card Validation
One of the campaign's unique qualities, according to Fortinet's report, is that the software injects a fake card payment form on a targeted Web page and skims a victim's entered card information, whether or not the page is a checkout form. This means the skimmer can be brought into the customer experience much earlier.
  • Wouldn't it be prudent to check if the card has been stolen by querying a database of stolen cards submitted by the bank or card processing companies? This would reduce the use of stolen cards and mitigate this fraudulent activity.
  • Also, if a fake card form is submitted, shouldn't that form be held up during the approval process before it goes to the next step or remain external to the organization until the form's information has been verified (text or phone call)?

Just curious.

Todd
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5397
PUBLISHED: 2020-01-17
Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not incl...
CVE-2019-17635
PUBLISHED: 2020-01-17
Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a deserialization vulnerability if an index file of a parsed heap dump is replaced by a malicious version and the heap dump is reopened in Memory Analyzer. The user must chose to reopen an already parsed heap dump with an untrusted inde...
CVE-2019-19339
PUBLISHED: 2020-01-17
It was found that the Red Hat Enterprise Linux 8 kpatch update did not include the complete fix for CVE-2018-12207. A flaw was found in the way Intel CPUs handle inconsistency between, virtual to physical memory address translations in CPU's local cache and system software's Paging structure entries...
CVE-2007-6070
PUBLISHED: 2020-01-17
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-1382. Reason: This candidate is a reservation duplicate of CVE-2008-1382. Notes: All CVE users should reference CVE-2008-1382 instead of this candidate. All references and descriptions in this candidate have been removed to prevent ...
CVE-2019-17634
PUBLISHED: 2020-01-17
Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a cross site scripting (XSS) vulnerability when generating an HTML report from a malicious heap dump. The user must chose todownload, open the malicious heap dump and generate an HTML report for the problem to occur. The heap dump could...