Advertisement

New ‘Magecart’ group used ad plugin to steal payment data from hundreds of websites

The attack bears similarity to Magecart activity, but researchers say a new Magecart group is behind it.
(Pixabay)

Hundreds of e-commerce websites have been hit with a card-skimming attack that compromised an advertising plugin, according to research from Trend Micro and RiskIQ.

It’s the latest in a series of attacks linked to Magecart, an umbrella term for a set of hacking groups that use different methods to steal payment data from websites.

Researchers said that while the attack resembled previous Magecart incidents, this one appears to have originated with a relatively new group that RiskIQ dubbed “Magecart Group 12.” Group 12’s attack affected 277 “ticketing, touring, and flight booking services as well as self-hosted shopping cart websites from prominent cosmetic, healthcare, and apparel brands,” according to Trend Micro.

The researchers said the group had been a minor player in the past, finding ways to inject its code into individual e-commerce websites. But when the hackers infected a JavaScript library used by the French advertising firm Adverline in 2018, the hackers “sent activities into overdrive,” according to RiskIQ.

Advertisement

“This code integrates with thousands of websites, so when it’s compromised, the sites of all of the customers that use it are compromised. This gives Magecart access to a wide range of victims at once,” RiskIQ said.

Trend Micro said that Adverline remediated the issue and has coordinated with France’s computer emergency response team, CERT La Poste.

Group 12’s malicious script checks the victim’s current URL to look for keywords like “checkout,” “billing” and “purchase,” according to Trend Micro, an indication the code is looking for a page where a user will enter payment information. The script also looks for such keywords in French and German, researchers said.

The script is designed to capture anything typed into a form on a keyword-triggered page.

Researchers found that Group 12’s script caches captured information in the user’s browser, until the user refreshes or visits another page. The data then is exfiltrated to the attackers’ servers.

Advertisement

Although loosely-associated, groups under the “Magecart” umbrella have been linked to card-skimming attacks that have hit Ticketmaster, Newegg, British Airways, OXO  and others.

Latest Podcasts