According to recent research, a wave of cyber attacks on e-commerce retailers operating on the Magento 1.x platform in September this year was classified as a single group.
This group has carried out a large number of different attacks on Magecart, often attacking a large number of websites at the same time, either through supply chain attacks such as the Adverline incident, or through the use of exploits such as the attacks on Magento 1 in September, according to an analysis published today by RiskIQ.
The attacks, commonly known as Cardbleed, targeted at at least 2,806 Magento 1.x online stores, which were attacked on the occasion of the 30th anniversary of Magento 1.x expired in June 2020.
Injecting scammers into shopping websites to steal credit card details is a tried and tested method by Magecart, a consortium of various hacker groups that focus on online shopping cart systems.
But in recent months, Magecart operators have stepped up their efforts to hide the code to steal the maps in the image metadata and have even launched homographic attacks on IDNs to hide web skimmers in the site’s favorite file.
Cardbleed, first documented by Sansec, works with some domains to communicate with the Magento control panel, then uses the Magento Connect function to download and install a malware called mysql.php, which is automatically removed when the skimmer code is added to the prototype.js.
Now, according to RiskIQ, the attacks carry all the characteristics of a group that follows them, such as Magecart Group 12, based on the intersection of infrastructures and methods in different attacks, from Adverline in January 2019 to Olympic ticket resellers in February 2020.
In addition, the skimmer used in the compromise is a variant of the skimmer for ants and cockroaches first discovered in August 2019 – the function called Ant_cockcroach() and the Ant_check variable found in the code.
It is interesting to note that one of the domains identified by the researchers (myicons […] net) also links the group to another campaign conducted in May, where Magento’s favicon file was used to hide the skimmer in the payment pages and to download a fake payment form to steal the information collected.
But just when the malignant domains were destroyed, the 12th knew how to exchange new domains to keep them safe.
According to the researchers at RiskIQ, since the campaign [Cardbleed] became widely known, the perpetrators have changed their infrastructure. They moved the scripter to the download of ajaxcloudflare[.]com, which has also been active since May, and moved the exfiltration to a newly registered domain, console[.]in.
Incidentally, these attacks are further evidence that attackers continue to innovate, play with different methods of disarmament and mislead their code to avoid detection, according to Jordan Herman, threat researcher at RiskIQ.
The reason for this study is a general compromise of Magento 1, which ended in June of this year to use websites, according to the German. A particular mitigating circumstance would therefore be the move to Magento 2, even though the cost of an upgrade may be prohibitive for smaller suppliers.
There is also a company called Mage One that continues to support and repair Magento 1. At the end of October they released a patch to reduce the actor’s particular vulnerability. Ultimately, the best way to prevent such attacks is for e-commerce companies to have a full inventory of the code on their website so that they can identify outdated versions of the software and other vulnerabilities that could lead to a Magecart attack, he added.