Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Data Leakage

9/28/2018
08:05 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Magecart Group Likely Behind Increase in Formjacking Attacks

A recent analysis by Symantec researchers has found a significant increase in formjacking attacks. The reason, according to some, is an increase in activity from the Magecart group.

A extremely specific type of attack that is used to steal credit card details and other e-commerce data, called formjacking, has seen a significant spike over the last 30 days, according to a new analysis from Symantec.

Formjacking is a term that describes the use of malicious JavaScript code to steal credit card details, as well as other information from payment forms on the checkout web pages of e-commerce sites, such as Amazon or Wal-Mart.

While not a new technique, recent formjacking campaigns have shown them to be large, sophisticated, was well as increasing dramatically since mid-August. Symantec researchers claimed to have blocked 248,000 formjacking attempts since then. More than one third of those blocks -- 36% -- occurred from September 13 to 20, according to Symantec.

When they compared the week of September 13 to the same week in August, the number of instances of formjacking had more than doubled. It was observed by Symantec that the blockage requests jumped from just over 41,000 to almost 88,500 -- a percentage increase of 117%.

The increases in formjacking seem to be linked to Magecart, the name of a threat actor that has previously carried out this kind of online skimming. These types of schemes can be traced back to 2015, with attacks on Magneto e-commerce sites. Since then, the group has changed focus.

Willem de Groot, a security consultant, has been keeping tabs on these developments since they started and has been keeping a running tally on Twitter.

In the past two months, Magecart has been publicly linked to credit card information theft at Ticketmaster, British Airways, and Newegg as its malicious activities grow less specific in focus and broader in execution. (See British Airways Already Facing Lawsuits Following Data Breach.)

Those three widely known campaigns were dependent on third-party chat agent contractors to act as infection vectors. A chatbot from tech firm Inbenta had been used for customer support on the Ticketmaster websites that were formjacked.

A post-mortem showed that the malicious code may have been on the Ticketmaster website for almost a year. If you were an international Ticketmaster customer, you were warned by Ticketmaster that you may have been affected if you bought tickets between September 2017 and June 2018.

This wasn't just some skids at work. Altering the chatbot took some work. Executives with Inbenta have said that Magecart had exploited a number of vulnerabilities to target its front-end servers and alter the chatbot code.

There are other ways for Magecart to handle injection of malicious JavaScript than a poisoned supply chain, but few that are as efficient when all is in alignment.

The sudden growth in Symantec's blocking requests may be due to things becoming aligned.

For instance, Feedify is used by many websites to serve up push notifications to website visitors. It got hit by Magecart on September 11. While the company deleted the malware that Magecart has put into the site, it returned within 24 hours.

This caused some threat researchers to advise that companies stop using Feedify until the issue was resolved. However, for the British Airways and Newegg exploits, the initial infection vector that allowed the attackers to gain access to the websites is not known at this time.

This one isn't going away so soon.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7029
PUBLISHED: 2020-08-11
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged ...
CVE-2020-17489
PUBLISHED: 2020-08-11
An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible f...
CVE-2020-17495
PUBLISHED: 2020-08-11
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
CVE-2020-0260
PUBLISHED: 2020-08-11
There is a possible out of bounds read due to an incorrect bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-152225183
CVE-2020-16170
PUBLISHED: 2020-08-11
The Temi application 1.3.3 through 1.3.7931 for Android has hard-coded credentials.