Under-resourced webstores urgently need our help, say security researchers

Magecart payment card data thieves play cat-and-mouse game with researchers, law enforcement

The discovery of Magecart card skimming infrastructure lurking behind a ‘bulletproof’ hosting service is just the latest example of how the notorious e-commerce heisters mask their activities.

RiskIQ research published last week revealed that Magecart groups, which plant JavaScript skimmers on website checkout pages to hoover up payment form data, were hiding thousands of malicious domains on ‘cybercrime-friendly’ hosting service Media Land.

Obfuscation techniques

Magecart skimmers, which can gain a foothold on websites via malicious or compromised third-party JavaScript libraries, use obfuscation to keep infections undetected for long periods.


BACKGROUND Magecart: How a single skimming case evolved into widespread credit card theft


Jacob Pimental, incident response analyst at T Rowe Price, observed a marked shift in obfuscation techniques used during 2020 alone, as attackers capitalized on the online shopping surge precipitated by Covid-19.

ObfuscatorIO, a free, open source JavaScript obfuscator, was preeminent initially, but “recent trends have been hiding code in images or legitimate CSS files,” he tells The Daily Swig.

Shape-shifting skimmers can evade detection with modest, unoriginal adaptations, according to malware analyst Max Kersten.


Credit card payment data is stolen by Magecart skimmersMagecart attackers exploit vulnerabilities in e-commerce website backend systems


“Techniques change over time, but change does not always mean that a technique is new,” he tells The Daily Swig, citing scripts obfuscated with radix loaders, notably deployed by highly active newcomers Magecart 12.

“We learn from the past, as we do in all fields, but small alterations from the attackers (and the pressure that security software should not alert false positives) make it hard to continually keep up,” says Kersten.

“The major players in this business are able to do that, but small shops generally do not have such a license.”

Mom and popular targets

Attackers do occasionally claim high-profile victims, such as Macy’s, British Airways, and several unidentified, high traffic domains infected via a ‘spray and pray’ attack dissected by RiskIQ in 2019.

However, both Pimental’s and Kersten’s Magecart research demonstrates that small ‘mom and pop’ web shops are much easier to compromise.

“Many small shops are installed by an IT professional as a one-time job, after which the shop owner takes over,” says Kersten. “The shop owner might not know credit card skimmers exist, nor be aware of best practices in IT security in general.”


RELATED Magecart gang bypasses iframe protection on hosted payment site



Many consequently fail to apply software updates – more than 200,000 web shops had failed to upgrade from Magento 1 a week after it reached end of life in June 2020, for instance.

Pimental believes Magecart researchers should improve communication channels with “shop owners, as most of them won't respond when I or other researchers reach out to them.”

The “helpful spirit” encountered in the security community by Kersten bodes well for the prospect of achieving such goals: “During my research I met a lot of great people who offered their help and service without expecting any payment,” he says.

Reasons for optimism

Although “2020 saw Magecart actors engaged in continual innovation to hide both their skimming code and their exfiltration channels and continued successful attacks on a large scale”, RiskIQ threat researcher Jordan Herman believes “there is reason to feel optimistic as we kick-off 2021”.

“A substantial increase in awareness generally and focused analysis and reporting from security researchers” is exposing “new techniques as they are implemented, uncovers new skimmer domains and infrastructure, and connects the dots between them to correlate the gathered data and attribute it to a criminal group,” Herman tells The Daily Swig.

Undertaken over several years, this painstaking work bore fruit in the arrest in January 2020 of three suspects linked to a large-scale Magecart campaign.

While Pimental expects Magecart attacks will continue to become more sophisticated and “harder to spot”, Herman anticipates that 2021 will “see more pressure on these groups from various law enforcement agencies and disruption to their activities, as well as a continued commitment from a varied group of security professionals to tracking and exposing the ongoing criminal activity”.


RECOMMENDED Introducing Malvuln.com – the first website ‘exclusively dedicated’ to revealing security vulnerabilities in malware