MagentoCore Card Skimmer Found on Mass Numbers of E-Commerce Sites

A whopping 7,339 (and counting) individual e-commerce sites have been infested with the MagentoCore.net payment-card skimmer in the last six months, making the malicious script one of the most successful credit-card threats out there. The infections are part of a single effort, all tied back to one well-resourced group with global reach.

“Online skimming – your identity and card are stolen while you shop – has been around for a few years, but no campaign has been so prolific as the MagentoCore.net skimmer,” said independent malware hunter Willem de Groot, in a posting Thursday on the prolific nature of the script. “The group has turned [thousands] of individual stores into zombie money machines, to the benefit of their illustrious masters.”

As for who those illustrious masters are, de Groot told Threatpost via email that he suspects the Magecart group to be behind it – which is the same outfit that pulled off the Ticketmaster heist earlier in the year. However, attribution beyond the basics remains murky.

“Their collection server is registered in Moscow, but I couldn’t say anything about their location or nationality, unfortunately,” he told us.

The campaign is global, he said, and ongoing: According to de Groot’s nightly scans, new stores are being hijacked at the alarming pace of 50 to 60 stores per day.

Further, the script appears to be rather persistent: The average recovery time is “a few weeks” he said, with at least 1,450 e-commerce sites hosting the MagentoCore.net parasite during the full six months of his analysis.

“The victim list contains multimillion dollar, publicly traded companies, which suggests the malware operators make a handsome profit,” he said in the posting. “But the real victims are eventually the customers, who have their cards and identities stolen.”

The Magecart actors are targeting online stores running WooCommerce from WordPress and Magento software, he told Threatpost, and “the attack vector is, in almost all recent cases, brute-forcing the administrator password.” He said the adversaries are patient, automatically trying millions of common passwords until they find one that works, often over the course of a few months.

Attackers can also gain unauthorized access from a staff computer that’s infected with malware, or by hijacking an authorized session using a vulnerability in the content management system (CMS).

As for the code itself, the skimmer has been around since last December, although less sophisticated versions were found as early as 2015, de Groot told Threatpost. Once the actors succeed in gaining access to the back-end CMS running the website, they embed the MagentoCore.net Javascript code into the HTML template. This can be hidden in a few places, including in default HTML headers and footers, and in minimized, static, hidden Javascript files deep in the codebase. It also adds a backdoor to cron.php.

“That will periodically download malicious code, and, after running, delete itself, so no traces are left,” de Groot said.

Once installed, it sets about recording the keystrokes of unsuspecting online shoppers, sending everything in real-time to the malware’s Muscovite server, registered in Moscow. MageCart has been seen recruiting U.S. money mules to monetize the stolen card information; and de Groot said they can also sell them on the black market for $5 to $30 per card.

E-commerce site owners should be actively auditing their CMS, given the virulent nature of the campaign.

“My advice to shop owners is to periodically check for unauthorized code in headers, footers and database fields,” de Groot told Threatpost. “Once found, a thorough investigation should be conducted, because hackers usually sprinkle their hijacked systems with backdoors. Version control [i.e., reverting to a certified safe copy of the codebase] and a good malware scanner are very useful.”