MageCart Group12 is known for targeting e-commerce websites with the goal of skimming payment information from online shoppers and selling them on the dark web. The credit-card skimmer group is using PHP web shells to secure remote administrative access to the sites under attack to steal credit-card data, rather than using their previously favored JavaScript code, which they simply installed into vulnerable sites to log the information keyed into online checkout sites.
Researchers from Sucuri have learned that the scammers are saving their stolen credit-card data in .JPG files until they could be exfiltrated from compromised e-Commerce sites running Magento. Most users are stuck in an old version of Magento and are unable to upgrade because they do not have sufficient funds to hire the developer back once their site becomes out-of-date and vulnerable.
The cost to migrate a Magento 1 website (which had its end of life in 2020) to the more secure Magento 2 ranges from $5,000 to $50,000. Researchers believe that Magecart will continue to evolve and enhance its attacking techniques as long as its cybercrimes keep turning a profit.
“The file named Magento.png attempts to pass itself as ‘image/png’ but does not have the proper .PNG format for a valid image file. The way it is injected in compromised sites is by replacing the legitimate shortcut icon tags with a path to the fake .PNG file,” researchers explained.
But in this new methodology, the phony favicon is used to load a PHP web shell. The web shell is harder to detect and block because it injects the skimmer code on the server-side, rather than the client side. “The creative use of the fake .JPG allows an attacker to conceal and store harvested credit-card details for future use without gaining too much attention from the website owner,” Luke Leal, a researcher at Sucuri stated.
“The latest techniques observed in these recent Magecart attacks show how the groups themselves are staying innovative by using previous techniques with new coding and tactics. The most recent findings highlight how difficult it may be for defenders to detect skimming activity itself without employing additional code reviews or other types of blocking and inspection,” Sean Nikkel, senior cyber threat intel analyst at Digital Shadows told Threatpost.
In September 2020, Magecart Group 12 hacked nearly 2,000 e-commerce sites in an automated campaign impacting tens of thousands of customers, who had their credit cards and other information stolen. Scammers employed the classic Magecart attack technique where e-commerce sites are injected with a web skimmer, which secretly exfiltrates personal and banking information entered by users during the online checkout process.