New ‘Magecart’ group used ad plugin to steal payment data from hundreds of websites
Hundreds of e-commerce websites have been hit with a card-skimming attack that compromised an advertising plugin, according to research from Trend Micro and RiskIQ.
It’s the latest in a series of attacks linked to Magecart, an umbrella term for a set of hacking groups that use different methods to steal payment data from websites.
Researchers said that while the attack resembled previous Magecart incidents, this one appears to have originated with a relatively new group that RiskIQ dubbed “Magecart Group 12.” Group 12’s attack affected 277 “ticketing, touring, and flight booking services as well as self-hosted shopping cart websites from prominent cosmetic, healthcare, and apparel brands,” according to Trend Micro.
“This code integrates with thousands of websites, so when it’s compromised, the sites of all of the customers that use it are compromised. This gives Magecart access to a wide range of victims at once,” RiskIQ said.
Trend Micro said that Adverline remediated the issue and has coordinated with France’s computer emergency response team, CERT La Poste.
Group 12’s malicious script checks the victim’s current URL to look for keywords like “checkout,” “billing” and “purchase,” according to Trend Micro, an indication the code is looking for a page where a user will enter payment information. The script also looks for such keywords in French and German, researchers said.
The script is designed to capture anything typed into a form on a keyword-triggered page.
Researchers found that Group 12’s script caches captured information in the user’s browser, until the user refreshes or visits another page. The data then is exfiltrated to the attackers’ servers.
Although loosely-associated, groups under the “Magecart” umbrella have been linked to card-skimming attacks that have hit Ticketmaster, Newegg, British Airways, OXO and others.