We put a lot of thought into our data breach detection engine, a powerful real-time production monitoring solution comprised of 3 main layers, a combination of human intelligence logic and our AI anomaly detection, arming us with the tools needed to detect the old threats and prepare for future attacks.
Last month our team discovered dozens of sites with live credit card skimmers, which we identified as Magecart activity, including one of the largest consumer electronics retailers in the UK and a well-known sports apparel brand from France. We’ve alerted the relevant CISOs who immediately acted to secure customers information.
As a result, we now have new clients and grew our bank of
authentic attacks, from which I’m going to share an example:
To demonstrate the malicious activity flow, we will walk through a live example of one of the data breaches identified by our external monitoring solution, Intelligence Pro, to protect our clients’ privacy, we will not share their identity, and site information will not be disclosed.
This script tag loads a remote script which is a generic
eCommerce credit card skimming malware, that belongs to the Magecart group of
attacks. The script contains the full malicious code which steals the following
data to the attacker’s server:
Credit card number,
expiration date, CVV code
This malware is a known card skimmer operating from a malicious server located at hxxps://googletagmanager.eu with hxxps://googletagmanager.eu/gtm.js injecting the eCommerce credit card skimming malware. Following the collection of the compromised data, it sends the user’s private information and credit card details via hxxps://www.googletagmanager.eu/ga.js. As seen in the image below:
To hide the information leakage, a simple encoding
encryption was performed on the stolen data, a common obfuscation method very simple
ChameleonX Intelligence Pro detected this data breach immediately with the activation of the external site scan. While this is quite a simple form of attack, it is unknown how long is has been active prior to our detection.
Detection time is a critical factor, with similar Magecart attacks making the news globally including large brands such as British Airways, Ticketmaster and Newegg, the time to detection is a 30 – 45 days on average.
In today’s web business environment, relying on 3rd party services to help businesses grow, supply chain attacks are quite impossible to prevent, with no control over vendors security protocols or obligation to customer privacy. This makes the detection time a crucial factor for the implications of a data breach
At ChameleonX we deal with many cases of client-side data breach attacks, carried out seamlessly by fraudsters. These client-side fraudulent endeavors are triggered by a simple single-line script tag embedded to the body of the website, in pages where sensitive information resides.
Compromised Customer Credit Cards, Worldwide
A few days ago, our research led us to discover 11 different Magento e-commerce websites, from all around the world, that currently have live credit card skimmers embedded in them. The attacks are rather similar to one another and apparently belong to the same notorious Magecart group: sharing C2 servers and reused code.
Some of the websites in the list have monthly traffic of 100K-300K unique visitors (One of them an Amazon Best-Selling company), and belong to SMB/Mid market companies of dozens to hundreds of employees. We will not uncover the names of these companies due to obvious reasons, but you can rest assured we contacted all of them and most have already removed the credit card skimming malware.
our research led us to discover 11 different e-commerce websites, from all around the world, that currently have live credit card skimmers embedded in them.
Estimated monthly visits of an infected e-commerce site (stats by SimilarWeb.com)
Data Exfiltration with a Disguise
The operation we discuss in this post, uses lookalike domains for the C2 servers, in order to maintain a low footprint and evade detection by website owners and users. The analyzed attacks used domains camouflaged as services such as:
Google Tag Manager
Exfiltrated credit card data from a large e-commerce website, infected with a Magecart card skimmer, sent to the fraudster’s C2 server
You get the picture.. Imagine inspecting your website’s network traffic and seeing an outgoing request with a domain like googletagmaanager.com – if you’re not actively looking for a threat, you’d probably assume it’s just a legit request from your GTM library right?
The C2 Endpoint
Real Magecart Webshell backdoor script obtained from a C2 server
An illustration of a code injection attack flow
Attackers leverage different vulnerabilities to exploit websites with this shell. After deploying it to the exploited website and obtaining the remote access URL, fraudsters are basically able to control most aspects of the server, allowing them to inject malicious code to client-side runtime, modifying the site that is served to end users.
ChameleonX is a cybersecurity startup company, developing a unique AI-based client-side protection solution for the eCommerce, Travel and Financial sectors to protect businesses from zero-day attacks, compromised 3rd-party resources, web vulnerabilities and malware code injections. Learn more about how we can protect your company from becoming the next big data breach news story.