A MageCart Attack Ramps up Innovation Levels

Towards the start of the fourth quarter of 2019, a steady rise in MageCart attacks was detected by several security firms. These attacks, which rely on the attacker injecting malicious code into the scripts of shopping cart applications in order to skim the card details entered by customers. The stolen card details are then used for fraudulent transactions, or the smarter approach is to sell the details on the Dark Web. The latest shopping cart offering that was targeted was WooCommerce, with details of the attack emerging less than a month ago. Now a new MageCart attack campaign has illustrated a novel and innovative approach in order to infect victims and steal customer card details.

In summary, the attack involved the hacker creating a fake website that supposedly offered thousands of icons that could be used by website owners. Covertly, the icons hid the card skimming script and made use of a server-side trick to make sure the code was injected in shopping cart applications. The attack was discovered and analyzed by Malwarebytes, who subsequently found that the attack was a carefully crafted ruse to further the aims of a credit card skimming operation.

Looking at the campaign in greater detail, researchers discovered that their web crawler was making several requests to a domain called myicons[.]net. On closer inspection, the domain appeared to be a site that provided icons to websites, in particular favicons, the icons used in the top left sections of open browser tabs. Researchers then discovered that the Magento, a popular eCommerce platform, logo available on the domain has been used by several eCommerce websites.

magecart attack using favicon

This in itself is not suspicious and would be expected behavior for smaller websites using shared icons to save on potential graphic design costs. What was suspicious was that whoever registered the domain simply stole all the content from a legitimate website, iconarchive.com, providing the same service. The content theft was done in the simplest of ways, by simply adding the content via an HTML iFrame. Given that the myicons[.]net website displayed some obvious suspicious behavior more research was carried out.

Suspecting that the favicons may have been used to spread malware, researchers believed that the favicons applied a form of steganography, a method of hiding malware within an image's code. However, the image's code had not been modified in any malicious way and was formatted correctly. For the moment, it looked as if the situation was merely a false alarm. It was only when researchers visited one of the compromised eCommerce websites using the questionable Magento logo that the picture was revealed. Instead of serving the favicon’s .png file when the checkout page was loaded, which would be expected, the malicious server returned JavaScript code that when processed by the browser a credit card payment form would be presented to the buyer. Further, the content generated by the malicious code would override the PayPal checkout option with its own drop-down menu that allowed for the selection of several credit card manufacturers including Visa and Mastercard.

Ant and Cockroach

The card skimming portion of the malware has been called “Ant and Cockroach” by other security researchers namely due a function labeled ant_cockcroach() and a variable ant_check found in the code. Currently, it is believed that the function and the variable relate to code that checks for active developer tools but it is most certainly a unique naming scheme that begs to be used by researchers in helping separate this attack from the sheer amount of other MageCart attacks happening in the wild. Another unique characteristic of the skimming module is that it has been specifically set to generate English and Portuguese checkout forms. Like other skimmers, the JavaScript code injects HTML code which is designed to render exactly like checkout pages users have come to expect so as not to raise suspicions. Another feature that deserves to be mentioned is the skimmer will also look to harvest personal information including, names, addresses, phone numbers, and emails. The combination of personal information and credit card makes it easier for the attacker or other fraudsters to commit a variety of fraudulent crimes which will impact the victim.

The final task of the malware is to encode the data and send it to command and control servers under the attackers control where the mass of stolen information can be sold onto the highest bidder or used by the attacker in a number of other ways. The command and control server is another point of interest. The server's address is 83.166.244[.]76 which cropped in a separate analysis conducted by security firm Securi, this time the attacker used a domain name generator which was tied to certain times in an attempt to escape detection. Again the skimmer was injected into Magento cart applications. Due to the code injection, it is very hard for card skimming activity to remain undetected, further when victims begin to report fraudulent transactions on their bank cards a paper trail is created that is most certainly traceable. As to the domain generation, researchers noted,

“The approach of generating pseudo-random domain names to download malicious payloads is not new. Back in 2012, we saw this same practice used by the massive runforestrun malware campaign. This method helps hackers try to minimize damage from malicious domain blacklisting without having to update their injections on compromised sites. While it may sound reasonable in theory (when security companies only react to what they find in the traffic generated by malware), in practice, it’s quite easy for security researchers to reverse engineer the domain generating algorithm and accurately predict which domain names the malware will be using in the future. That being said, we haven’t seen the use of dynamic domain name generating algorithms in web skimmers before. It shows that the bad actors are constantly looking for new tricks to increase efficiency of their malware.”

Malwarebytes saw a 26% rise in MageCart attacks in March. The rise can at least be attributed in part by people under lockdown due to the COVID-19 pandemic being forced to use online merchants as much as possible but such activity has risen constantly since the fourth quarter of 2019. The problem was neatly summarised by Securi researchers as,

“As expected, bad actors are trying every new (and old) trick in the book to increase the ROI (return on investment) of their attacks, which include targeting popular online stores and making the malware as hard to detect — and block — as possible. Dynamically generating new domain names for each month is a relatively rare trick, though it’s probably not very efficient. We’ll definitely see more new obfuscation and detection prevention techniques from web skimmer authors soon.”

Sleight of Hand

Securi’s prediction proved to be eerily accurate. Hackers have developed a well-earned reputation for developing novel ways to trick users, much like magicians the more novel and unique a trick is the more attention it is likely to garner. It would seem that the hosting of a fake favicon website would be a first, especially for card skimming operations. Securi is also of the opinion that the use of the domain name generator was also a first for MageCart attacks. As to whether what was done by the card skimming operation was unique is up for debate.

In 2017, the Zirconium group hosted 28 separate websites associated with the same number of fake ad-agencies to conduct a massive malvertising campaign. Another attack campaign dating back to 2018 distributed the Orcus RAT via a registered Canadian company pretending to offer remote access software for enterprise workers. For hackers operating in the darkness of the Internet’s underbelly new and novel ways to make malware more efficient and add lists of victims will continue. This cyber arms race shows no signs of slowing as hackers look to outsmart those defending networks and vice versa. What makes the scenario infinitely more complex is that while some look to innovate others look to emulate, resulting in numerous copy cats looking for something that works and will turn a quick profit.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal