How Hackers Can hijack legit sites to host credit card stealer scripts
A new Magecart credit card stealing campaign hijacks legitimate sites to act as “makeshift” command and control (C2) servers to inject and hide the skimmers on targeted eCommerce sites.
A Magecart attack is when hackers breach online stores to inject malicious scripts that steal customers’ credit cards and personal information during checkout.
According to Akamai’s researchers monitoring this campaign, it has compromised organizations in the United States, the United Kingdom, Australia, Brazil, Peru, and Estonia.
The cybersecurity firm also points out that many of the victims have not realized they were breached for over a month, which is a testament to the stealthiness of these attacks.
Abusing legitimate sites
The attackers’ first step is to identify vulnerable legitimate sites and hack them to host their malicious code, using them as C2 servers for their attacks.
By distributing credit card skimmers using legitimate websites with a good reputation, the threat actors evade detection and blocks and are freed from needing to set up their infrastructure.
Next, the attackers move to inject a small JavaScript snippet into the target commerce sites that fetches the malicious code from the websites compromised previously.
“Although it is unclear how these sites are being breached, based on our recent research from similar, previous campaigns, the attackers will usually look for vulnerabilities in the targeted websites’ digital commerce platform (such as Magento, WooCommerce, WordPress, Shopify, etc.) or vulnerable third-party services used by the website,” explains Akamai in the report.
To add to the attack’s stealthiness, the threat actors have obfuscated the skimmer with Base64 encoding, which also hides the host’s URL, and built its structure in a way that resembles that of Google Tag Manager or Facebook Pixel, which are popular third-party services unlikely to raise suspicion.
Data theft details
Akamai reports seeing two variants of the skimmer used in the particular campaign.
The first is a heavily obfuscated version containing a list of CSS selectors that target customer PII and credit card details. The CSS selectors were different for each targeted site, custom-made to match each victim.
The second skimmer variant was not as well protected, exposing indicators in the code that helped Akamai map the campaign’s reach and identify additional victims.
After the skimmers steal the customers’ details, the data is set to the attacker’s server via an HTTP request created as an IMG tag within the skimmer.
A layer of Base64 encoding is applied to the data to obfuscate the transmission and minimize the likelihood of the victim discovering the breach.
Website owners can defend against Magecart infections by appropriately protecting website admin accounts and applying security updates for their CMS and plugins.
Customers of online shops can minimize the risk of data exposure by using electronic payment methods, virtual cards, or setting charge limits to their credit cards.
Protecting Your Website
Regular Software Updates: Keep your website’s software, plugins, and themes up to date. Developers frequently release security patches to address vulnerabilities and protect against potential attacks.
Strong Passwords: Enforce robust password policies, requiring users to create complex passwords. Implement two-factor authentication (2FA) to add an extra layer of security to your website’s login process.
Web Application Firewalls (WAF): Implement a WAF to filter incoming traffic and block suspicious requests. WAFs can detect and prevent attacks, including XSS and SQL injection attempts.
Regular Security Audits: Conduct regular security audits to identify and address potential vulnerabilities in your website. Consider employing professional penetration testers to simulate real-world attacks and uncover weaknesses.
User Input Validation: Implement stringent input validation measures to filter and sanitize user-generated content. This practice prevents the execution of malicious scripts injected through user input fields.
Monitoring and Incident Response
Web Traffic Analysis: Monitor your website’s traffic patterns and look for irregularities or suspicious activities. Anomalies may indicate a security breach, allowing you to respond promptly.
Incident Response Plan: Develop a comprehensive incident response plan to handle security breaches effectively. Define roles and responsibilities, establish communication channels, and outline steps to mitigate the impact.
Conclusion
The hijacking of legitimate websites to host credit card stealer scripts poses a significant threat to both website owners and their visitors. By understanding the techniques employed by hackers and implementing robust security measures, you can protect your website and its sensitive information. Safeguarding your online presence is crucial in maintaining trust and credibility with your audience.
