The researchers also discovered that a sister website eurotickets2020[.]com was hosting the same malicious code. As to the extent of the attacks and how many customers had been affected before the code was removed, a lot still remains unknown.
The researchers did manage to find some clues which allude to the extent of the attack with the pair stating,
“Digging into the extent of the infection, Max and I found that the company’s other site, eurotickets2020.com is also compromised with the same variant of Magecart. This can be found by searching for the hash via UrlScan…The furthest date back this was scanned was 2 months ago according to UrlScan, so it is unclear exactly how long the malicious code has been on their site. Max also took a look at the URL using the Wayback Machine and found the skimmer indexed on December 3rd, 2019. The URL for the eurotickets site can be seen dated back to January 7th, 2020. This gives us a rough estimate that the code may have been on the site for 50 days, but it is always possible that it was there longer.”
Not Just Two Websites Targeted
Soon after the initial discovery, the pair of researchers found several websites also infected with malicious code intended for MageCart attacks. What was interesting with the later discoveries is that the group appeared to have changed tactics. In the attacks on the ticker resellers, a legitimate script was injected with malicious code, with the others there was no legitimate script used to hide the malicious code. This increases the chances of been detected, but as Max Kersten pointed out, begs the question as to why are the infected websites hosting the code in the first place? Further, it was stated to try and explain this oddity,
"In the previous case (where two sites were owned by the same company), the skimmer was disguised within a legitimate jQuery library. On the one hand developers could have copied the library’s code to the server and used it. On the other hand, the servers could be breached by the actor(s), who then placed the link to the skimmer on the website.”
The two researchers continued to analyze what they had found and many of the websites hosting the code were infected in October and November 2019. These sites hosting the malicious code include Supreme Product, Parts Place Inc, Bahimi, Natural Pigments, Zhik, Tapis-Deluxe, Titans Sport, TJ VIP, CDNN Sports. The websites were notified on January 27, 2019, with almost all of them removing the malicious code from websites in due course. At the time of writing, it appears Titans Sports still is yet to remove the code. The researchers also discovered several other files hosted by the group’s OpenDoorCDN domain, with the first interesting file been a replica of the skimmer used but with different variable names. Another file, which was removed from while analysis of the domain was ongoing, was a version of CoalaBot a DDoS botnet.
The researchers then looked to take down the MageCart operation at its source by taking down the domain they operated from. The domain the group hosted was registered with a Russian hosting service Selectel and was registered under a Chinese company called Webnic. Once the Chinese company was contacted they subsequently took the domain name down, effectively ceasing the group’s skimming operations, for the moment at least. If readers have had any transactions with the websites listed above they are advised to contact their bank about replacing your bank card as it may have been skimmed. Often card details stolen in this method are sold online or used for online purchases. Even with the domain being taken down and skimming operations put to a halt, the group may register another domain in the future and continue operations. eCommerce web stores are advised to follow measures intended to protect themselves and their customer base as MageCart attacks seem like they will be around for a while to come.