Cyble-Magecart

Highly evasive Magecart JavaScript Skimmer active in the wild

Payment Data Stolen From Compromised Magento Sites

During our routine threat-hunting exercise, Cyble Research & Intelligence Labs (CRIL) came across a Twitter post wherein a researcher mentioned an interesting JavaScript skimmer created by the Magecart threat group (a consortium of malicious hacker groups who target online shopping cart systems) that steals payment information from the Magento e-commerce website.

Magecart is a wider term for several threat groups who compromise e-commerce websites and inject card-skimming scripts on checkout pages to steal customers’ payment details as well as their personal data.

Magento card-skimming

Magento is a PHP-based open-source e-commerce platform that helps programmers create their own e-commerce websites. It is a self-hosted content management system currently owned by Adobe. Approximately 250,000+ websites use Magento to power their e-commerce websites. This platform also allows website owners to add Google Analytics and other third-party integrations such as eBay, PayPal, Mailchimp, etc.

Magento card skimming is a type of web skimming wherein Threat Actors (TAs) exploit software vulnerabilities in the Magento e-commerce sites to gain access to the website’s source code. Upon gaining access, the TAs inject malicious JavaScript into the compromised website, which keeps an eye on the payment forms & checkout pages.

This script allows TAs to steal necessary banking information such as the owner’s name, credit/debit card number, CVV number, and expiry date. It also allows them to exfiltrate data from the compromised website. TAs, typically generate revenue by selling this stolen information on the black market. The sold data is used to make unauthenticated online transactions, transfer money, and buy and ship goods overseas.

While conducting this analysis, we observed that when a user visits the compromised website, the skimmer loads the payment overlay form from an embedded JavaScript file “media/js/js-color.min.js” and asks the user to enter their payment information.

The below figure shows an obfuscated skimmer script used for stealing payment information.

Figure 1 – An obfuscated JavaScript skimmer code

The below figure shows the payment page of the compromised Magento site, which prompts visitors to enter their credit/debit card information to process the transaction.

Figure 2 – Compromised website payment form (Source: lukeleal.com)

Upon entering the payment details in the above form, the JavaScript file collects and processes all the input details given by the victims who are shopping on the compromised website and then sends them to the URL mentioned in the JavaScript.

Technical Analysis

For our analysis, we have taken the following sample hash (SHA256):

fdb135b16975bbee18d3d4d378484934f1cb1b68723969ce9ecf5ae76df253d0, which is an obfuscated JavaScript file.

The below figure shows the obfuscated and de-obfuscated content of the JavaScript file.

Figure 3 – An Obfuscated & De-Obfuscated JavaScript code

Upon executing the JavaScript, it checks for the presence of standard skimmer anti-detect features that prevent it from loading if the browser’s dev tool is open.

Figure 4 – Anti-detect check

After checking for anti-detect, the malware allows the user to enter the payment’s credit/debit card details along with other details such as first name, last name, address, telephone, email ID, etc.

Then, it verifies the length of the following details entered by victims in the payment form and calls an execute() function, as shown in Figure 5.

  • #pas_ccnum – The length of the card number should be greater than 14
  • #pas_expiry – The length of the Expiry should be equal to 5
  • #pas_cccvc – The length of the Security Code should be greater than or equal to 3
Figure 5 – Input details length check

The execute() function collects all the input details entered by the victims and pushes them into the array “data,” as shown in the below figure.

Figure 6 – Collected payment details from victims

Next, the execute() function converts the  JavaScript “data” value into a JSON string by using the JSON.stringify() function.

Then, it performs the split(), reverse(), join(), encodeURIComponent() and  unescape() operations on the JSON string content and converts the results into Base64-encoded format string using the btoa() function.

After that, it exfiltrates the Base64-encoded payment details to the below URL using the POST method.

  • united81[.]com/css/images/<Randomnumber>[.]png
Figure 7 – Code snippet of exfiltration

Conclusion

Online shopping activity is constantly on the rise due to its ease of use, digital transformation, and the sheer convenience. Skimmer groups continue to infect e-commerce sites in large numbers and are improving their techniques to remain undetected. Historically, Magento e-commerce websites have been the most highly targeted victims of skimmer attacks. While using any e-commerce website, ensure that you only use known and legitimate platforms.

Cyble Research & Intelligence Labs actively monitors new malicious campaigns to keep our readers updated with our latest findings about skimming and other types of data-stealing attacks.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

How to prevent malware infection?

  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Avoid downloading pirated software from warez/torrent websites.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity. 
  • Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
  • Keep your devices, operating systems, and applications updated.
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.
  • Enable Data Loss Prevention (DLP) Solution on the employees’ systems.

What to do in case of any fraudulent transaction?

  • In case of a fraudulent transaction, immediately report it to the concerned bank.

What should banks do to protect their customers?

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMSs, or emails.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Execution  T1059Command and Scripting Interpreter
Defense Evasion  T1027Obfuscated Files or Information
Discovery  T1518Security Software Discovery
Credential Access  T1417Input Capture
Command and Control  T1071Application Layer Protocol
Exfiltration T1041Exfiltration Over C&C Channel

Indicators of Compromise (IOCs)

IndicatorsIndicator
Type
Description
f5dceb6097a46b01202fececfd494de6
8b064625fd8566fe9ed10ebb77f4642025388a18
fdb135b16975bbee18d3d4d378484934f1cb1b68723969ce9ecf5ae76df253d0
MD5
SHA1
Sha256
js-color.min.js File
united81[.]com/css/images/28555284977696[.]pngURLdata exfiltration Domain
Scroll to Top