Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Data Leakage

9/28/2018
08:05 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Magecart Group Likely Behind Increase in Formjacking Attacks

A recent analysis by Symantec researchers has found a significant increase in formjacking attacks. The reason, according to some, is an increase in activity from the Magecart group.

A extremely specific type of attack that is used to steal credit card details and other e-commerce data, called formjacking, has seen a significant spike over the last 30 days, according to a new analysis from Symantec.

Formjacking is a term that describes the use of malicious JavaScript code to steal credit card details, as well as other information from payment forms on the checkout web pages of e-commerce sites, such as Amazon or Wal-Mart.

While not a new technique, recent formjacking campaigns have shown them to be large, sophisticated, was well as increasing dramatically since mid-August. Symantec researchers claimed to have blocked 248,000 formjacking attempts since then. More than one third of those blocks -- 36% -- occurred from September 13 to 20, according to Symantec.

When they compared the week of September 13 to the same week in August, the number of instances of formjacking had more than doubled. It was observed by Symantec that the blockage requests jumped from just over 41,000 to almost 88,500 -- a percentage increase of 117%.

The increases in formjacking seem to be linked to Magecart, the name of a threat actor that has previously carried out this kind of online skimming. These types of schemes can be traced back to 2015, with attacks on Magneto e-commerce sites. Since then, the group has changed focus.

Willem de Groot, a security consultant, has been keeping tabs on these developments since they started and has been keeping a running tally on Twitter.

In the past two months, Magecart has been publicly linked to credit card information theft at Ticketmaster, British Airways, and Newegg as its malicious activities grow less specific in focus and broader in execution. (See British Airways Already Facing Lawsuits Following Data Breach.)

Those three widely known campaigns were dependent on third-party chat agent contractors to act as infection vectors. A chatbot from tech firm Inbenta had been used for customer support on the Ticketmaster websites that were formjacked.

A post-mortem showed that the malicious code may have been on the Ticketmaster website for almost a year. If you were an international Ticketmaster customer, you were warned by Ticketmaster that you may have been affected if you bought tickets between September 2017 and June 2018.

This wasn't just some skids at work. Altering the chatbot took some work. Executives with Inbenta have said that Magecart had exploited a number of vulnerabilities to target its front-end servers and alter the chatbot code.

There are other ways for Magecart to handle injection of malicious JavaScript than a poisoned supply chain, but few that are as efficient when all is in alignment.

The sudden growth in Symantec's blocking requests may be due to things becoming aligned.

For instance, Feedify is used by many websites to serve up push notifications to website visitors. It got hit by Magecart on September 11. While the company deleted the malware that Magecart has put into the site, it returned within 24 hours.

This caused some threat researchers to advise that companies stop using Feedify until the issue was resolved. However, for the British Airways and Newegg exploits, the initial infection vector that allowed the attackers to gain access to the websites is not known at this time.

This one isn't going away so soon.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...