Thursday, November 30, 2023

Magecart Attack – Incident Investigation and The Key Takeaways

Magecart is a malicious threat actor ,operating in structured groups ( Group 1 to Group 6 ) and all this groups and their modus operandi is web skimming. Magecart groups uses varies tools ,techniques and tactics to get a unauthorized access on vulnerable website (eCommerce websites ) and they tamper the source code and add additional obfuscated JavaScript which acts as web skimmer.Motive of this groups is to steal payment-card data and PII from e-commerce sites checkout page and sell them on Dark web.

Groups implant malicious JavaScript directly to the vulnerable website or Either through supply chain attacks. Majority of the groups ,Often compromises an website supported external services or vendors source code to implant the web skimmer, Which is Third party apps integrated to your website ( Example : Chatbot ,Adversiting etc )

Lets See How these Groups Approach Your website :

Above picture illustrated that ,Attacker is trying to see the bigger picture of your web application and its external thirty party apps ( Advertising ,Ad Exchange ,CDN Fonts ,Hosted Libraries etc) , Now attackers will try all possible ways to compromise your website directly or through supply chain attacks.

Lets see what happens when you do happy shopping on this skimmer implanted websites :

Once the victim successfully proceed checkout ,A new page appears to get your card number ,CVV, expiry date.Once transaction is complete your order is placed.All the payment-card data are stolen and data is ex filtrated to malicious domain.

NOTE: Transactions are made through dummy credit cards and now its time to see what happens behind the scene of shopping .

Lets See The Indicator of Compromise :

lets start with page inspection ,When i check the ( View source ) on the shopping check out page .Below obfuscated JavaScript code is detected and this is enclosed with Google tag.This looks something weird.

While reviewing the above code , long alphabetical string which ends with = is found.Looks like attacker has successfully implanted the malicious JavaScript and they are trying to fetch data with base64 encoded value to evade detection.

When i try to decode the encoded base64 value ,this is what happens. Base64 decode results as Unknown website.

Unknown website is submitted to VirusTotal to check the reputation and results came up with 6/82.Some Av Vendors flagged this website as malicious.

Apart from virus total analysis ,I have downloaded above URL source code to review any anomaly.

Yes !!! Its confirmed the code is malicious and related with web skimming to steal all the customers payment-card data.

Reviewing The Content Security Policy :

NOTE : While proceeding checkout on shopping website ,My sniffer was running at background .Lets check there results also.

Content Security Policy (CSP) is an additional layer of security that helps to detect and mitigate certain types of attacks.This layer of security provides policies to harden like where to get and execute the scripts on your websites. Lets check the same with this case.

Above image shows that ,CSP is ensuring that above domains are allowed to execute scripts on the Referrer,Which is nothing but a cart check out page where the user is going do an transaction.

Since shopping cart website have given the CSP with wildcard * .Attacker taking this advantage and overwriting his own malicious domain which is bypassing the CSP.

Now sniffer shows that all the user payment details are exfiltrated to malicious actors domain.Its always necessary and thumb rule to secure your code and review your clients code too !!! Happy Investigation !!


Latest articles

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...

CISA Warns Hackers Exploiting Wastewater Systems Logic Controllers

In a disconcerting turn of events, cyber threat actors have set their sights on...

Zyxel Command Injection Flaws Let Attackers Run OS Commands

Three Command injection vulnerabilities have been discovered in Zyxel NAS (Network Attached Storage) products,...

North Korean Hackers Attacking macOS Using Weaponized Documents

Hackers often use weaponized documents to exploit vulnerabilities in software, which enables the execution...

Most Popular Websites Still Allow Users To Have Weak Passwords

The latest analysis shows that tens of millions of people are creating weak passwords...

Chrome Zero-Day Vulnerability That Exploited In The Wild

Google has fixed the sixth Chrome zero-day bug that was exploited in the wild this...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles