At ChameleonX we deal with many cases of client-side data breach attacks, carried out seamlessly by fraudsters. These client-side fraudulent endeavors are triggered by a simple single-line script tag embedded to the body of the website, in pages where sensitive information resides.
Compromised Customer Credit Cards, Worldwide
A few days ago, our research led us to discover 11 different Magento e-commerce websites, from all around the world, that currently have live credit card skimmers embedded in them. The attacks are rather similar to one another and apparently belong to the same notorious Magecart group: sharing C2 servers and reused code.
Some of the websites in the list have monthly traffic of 100K-300K unique visitors (One of them an Amazon Best-Selling company), and belong to SMB/Mid market companies of dozens to hundreds of employees. We will not uncover the names of these companies due to obvious reasons, but you can rest assured we contacted all of them and most have already removed the credit card skimming malware.
our research led us to discover 11 different e-commerce websites, from all around the world, that currently have live credit card skimmers embedded in them.
Estimated monthly visits of an infected e-commerce site (stats by SimilarWeb.com)
Data Exfiltration with a Disguise
The operation we discuss in this post, uses lookalike domains for the C2 servers, in order to maintain a low footprint and evade detection by website owners and users. The analyzed attacks used domains camouflaged as services such as:
- Google Analytics
- Google Tag Manager
Exfiltrated credit card data from a large e-commerce website, infected with a Magecart card skimmer, sent to the fraudster’s C2 server
You get the picture.. Imagine inspecting your website’s network traffic and seeing an outgoing request with a domain like googletagmaanager.com – if you’re not actively looking for a threat, you’d probably assume it’s just a legit request from your GTM library right?
The C2 Endpoint
Real Magecart Webshell backdoor script obtained from a C2 server
An illustration of a code injection attack flow
Attackers leverage different vulnerabilities to exploit websites with this shell. After deploying it to the exploited website and obtaining the remote access URL, fraudsters are basically able to control most aspects of the server, allowing them to inject malicious code to client-side runtime, modifying the site that is served to end users.
ChameleonX is a cybersecurity startup company, developing a unique AI-based client-side protection solution for the eCommerce, Travel and Financial sectors to protect businesses from zero-day attacks, compromised 3rd-party resources, web vulnerabilities and malware code injections. Learn more about how we can protect your company from becoming the next big data breach news story.