Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Data Leakage

9/28/2018
08:05 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Magecart Group Likely Behind Increase in Formjacking Attacks

A recent analysis by Symantec researchers has found a significant increase in formjacking attacks. The reason, according to some, is an increase in activity from the Magecart group.

A extremely specific type of attack that is used to steal credit card details and other e-commerce data, called formjacking, has seen a significant spike over the last 30 days, according to a new analysis from Symantec.

Formjacking is a term that describes the use of malicious JavaScript code to steal credit card details, as well as other information from payment forms on the checkout web pages of e-commerce sites, such as Amazon or Wal-Mart.

While not a new technique, recent formjacking campaigns have shown them to be large, sophisticated, was well as increasing dramatically since mid-August. Symantec researchers claimed to have blocked 248,000 formjacking attempts since then. More than one third of those blocks -- 36% -- occurred from September 13 to 20, according to Symantec.

When they compared the week of September 13 to the same week in August, the number of instances of formjacking had more than doubled. It was observed by Symantec that the blockage requests jumped from just over 41,000 to almost 88,500 -- a percentage increase of 117%.

The increases in formjacking seem to be linked to Magecart, the name of a threat actor that has previously carried out this kind of online skimming. These types of schemes can be traced back to 2015, with attacks on Magneto e-commerce sites. Since then, the group has changed focus.

Willem de Groot, a security consultant, has been keeping tabs on these developments since they started and has been keeping a running tally on Twitter.

In the past two months, Magecart has been publicly linked to credit card information theft at Ticketmaster, British Airways, and Newegg as its malicious activities grow less specific in focus and broader in execution. (See British Airways Already Facing Lawsuits Following Data Breach.)

Those three widely known campaigns were dependent on third-party chat agent contractors to act as infection vectors. A chatbot from tech firm Inbenta had been used for customer support on the Ticketmaster websites that were formjacked.

A post-mortem showed that the malicious code may have been on the Ticketmaster website for almost a year. If you were an international Ticketmaster customer, you were warned by Ticketmaster that you may have been affected if you bought tickets between September 2017 and June 2018.

This wasn't just some skids at work. Altering the chatbot took some work. Executives with Inbenta have said that Magecart had exploited a number of vulnerabilities to target its front-end servers and alter the chatbot code.

There are other ways for Magecart to handle injection of malicious JavaScript than a poisoned supply chain, but few that are as efficient when all is in alignment.

The sudden growth in Symantec's blocking requests may be due to things becoming aligned.

For instance, Feedify is used by many websites to serve up push notifications to website visitors. It got hit by Magecart on September 11. While the company deleted the malware that Magecart has put into the site, it returned within 24 hours.

This caused some threat researchers to advise that companies stop using Feedify until the issue was resolved. However, for the British Airways and Newegg exploits, the initial infection vector that allowed the attackers to gain access to the websites is not known at this time.

This one isn't going away so soon.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.