uTalk

thrive

Member

Registered: 2023-01-04

Posts: 1,985

WordPress, Magento, WooCommerce, and Shopify were all targeted

An ongoing campaign of web skimmers in the Magecart style has been discovered by cybersecurity researchers, and it is intended to steal credit card information and personally identifiable information (PII) from e-commerce websites.

The hijacked sites also act as "improvised" command-and-control (C2) servers, using the cover to facilitate the distribution of malicious code without the knowledge of the victim sites. This distinguishes it from other Magecart campaigns.

The personal information of thousands of website visitors may be at risk of being collected and sold for illegal gain, according to a statement from web security company Akamai that it has identified victims of varying sizes in North America, Latin America, and Europe.

"During the campaign, attackers use a variety of evasion techniques, including obfuscating [using] Base64 and masking the attack to resemble well-known third-party services, such as Google Analytics or Google Tag Manager," said Roman Lvovsky, a security researcher at Akamai.

In a nutshell, the plan is to compromise trustworthy legitimate websites and use them to host web skimmer code, taking advantage of the trustworthiness of the legitimate domains in the process. Attacks have sometimes been ongoing for almost a month.

According to Akamai, "attackers hack into (using vulnerabilities or any other available means), a vulnerable, legitimate site, such as a small or medium-sized retail website, and stash their code within it, rather than using the attackers' own C2 server to host malicious code, which may be flagged as a malicious domain.".

As a result of the attacks, two different types of victims have been identified: vulnerable e-commerce websites that are the target of the skimmers, and legitimate websites that have been compromised to serve as a "distribution center" for malware.

Web-skimmer assault.

Some websites have unintentionally spread malware to other vulnerable websites while also being the target of data theft and identity theft.

According to Lvovsky, "this attack included the exploitation of Magento, WooCommerce, WordPress, and Shopify, demonstrating the growing variety of vulnerabilities and abusable digital commerce platforms.".

The technique creates a "smokescreen" that makes it difficult to recognize and respond to such attacks by taking advantage of the established trust the websites have accrued over time.

Other strategies are used by the campaign as well to avoid detection. This includes disguising the skimmer code as third-party services like Google Tag Manager or Facebook Pixel to hide its true purposes.

JavaScript code snippets are also used as loaders to retrieve the entire attack code from the victim's website, reducing the attack's footprint and chances of being discovered.

The two different versions of the obfuscated skimmer code are designed to intercept and exfiltrate PII and credit card information as an encoded string over an HTTP request to an actor-controlled server.

Every time a user completes checkout, exfiltration will only occur once, according to Lvovsky. "Once a user's information is stolen, the script will flag the browser to make sure it doesn't steal the information twice (to reduce suspicious network traffic). As a result, this Magecart-style attack is even more evasive.

Europ

Member

Registered: 2023-05-23

Posts: 1,406

Re: WordPress, Magento, WooCommerce, and Shopify were all targeted

https://i.imgur.com/jGyo68Z.png
An ongoing campaign of web skimmers in the Magecart style has been discovered by cybersecurity researchers, and it is intended to steal credit card information and personally identifiable information (PII) from e-commerce websites.

The hijacked sites also act as "improvised" command-and-control (C2) servers, using the cover to facilitate the distribution of malicious code without the knowledge of the victim sites. This distinguishes it from other Magecart campaigns.

The personal information of thousands of website visitors may be at risk of being collected and sold for illegal gain, according to a statement from web security company Akamai that it has identified victims of varying sizes in North America, Latin America, and Europe.

"During the campaign, attackers use a variety of evasion techniques, including obfuscating [using] Base64 and masking the attack to resemble well-known third-party services, such as Google Analytics or Google Tag Manager," said Roman Lvovsky, a security researcher at Akamai.

In a nutshell, the plan is to compromise trustworthy legitimate websites and use them to host web skimmer code, taking advantage of the trustworthiness of the legitimate domains in the process. Attacks have sometimes been ongoing for almost a month.

According to Akamai, "attackers hack into (using vulnerabilities or any other available means), a vulnerable, legitimate site, such as a small or medium-sized retail website, and stash their code within it, rather than using the attackers' own C2 server to host malicious code, which may be flagged as a malicious domain.".

As a result of the attacks, two different types of victims have been identified: vulnerable e-commerce websites that are the target of the skimmers, and legitimate websites that have been compromised to serve as a "distribution center" for malware.

Web-skimmer assault.

Some websites have unintentionally spread malware to other vulnerable websites while also being the target of data theft and identity theft.

According to Lvovsky, "this attack included the exploitation of Magento, WooCommerce, WordPress, and Shopify, demonstrating the growing variety of vulnerabilities and abusable digital commerce platforms.".

The technique creates a "smokescreen" that makes it difficult to recognize and respond to such attacks by taking advantage of the established trust the websites have accrued over time.

Other strategies are used by the campaign as well to avoid detection. This includes disguising the skimmer code as third-party services like Google Tag Manager or Facebook Pixel to hide its true purposes.

JavaScript code snippets are also used as loaders to retrieve the entire attack code from the victim's website, reducing the attack's footprint and chances of being discovered.

The two different versions of the obfuscated skimmer code are designed to intercept and exfiltrate PII and credit card information as an encoded string over an HTTP request to an actor-controlled server.

Every time a user completes checkout, exfiltration will only occur once, according to Lvovsky. "Once a user's information is stolen, the script will flag the browser to make sure it doesn't steal the information twice (to reduce suspicious network traffic). As a result, this Magecart-style attack is even more evasive.

Hackers with various  attacks technics.  Its best to stick with the best digital platform: Utopia as done a great job and more are still yet to come