web analytics

New Magecart Attack Delivered Through Compromised Advertising Supply Chain

by Chaoying Liu and Joseph C. Chen

On January 1, we detected a significant increase in activity from one of the web skimmer groups we’ve been tracking. During this time, we found their malicious skimming code (detected by Trend Micro as JS_OBFUS.C.) loaded on 277 e-commerce websites providing ticketing, touring, and flight booking services as well as self-hosted shopping cart websites from prominent cosmetic, healthcare, and apparel brands. Trend Micro’s machine learning and behavioral detection technologies proactively blocked the malicious code at the time of discovery (detected as Downloader.JS.TRX.XXJSE9EFF010).

The activities are unusual, as the group is known for injecting code into a few compromised e-commerce websites then keeping a low profile during our monitoring. Further research into these activities revealed that the skimming code was not directly injected into e-commerce websites, but to a third-party JavaScript library by Adverline, a French online advertising company, which we promptly contacted. Adverline has handled the incident and has immediately carried out the necessary remediation operations in relationship with the CERT La Poste.


Figure 1: Attack chain of the online skimming attack


Figure 2: Timeline of web-skimming activities that accessed malicious (top); and country distribution of where they were accessed, from January 1 to January 6 (bottom)
Note: Data from Trend Micro™Smart Protection Network™

Given the attack’s modus of targeting third-party services, we construed them to be from Magecart Group 5, which RiskIQ reported to be linked to several data breach incidents like the one against Ticketmaster last year. With additional help from security researcher Yonathan Klijnsma at RiskIQ, we determined that these web-skimming activities were carried out by Magecart Group 12, a seemingly new subgroup of Magecart.

Magecart Group 12’s Attack Chain
Unlike other online skimmer groups that directly compromise their target’s shopping cart platforms, Magecart Groups 5 and 12 attack third-party services used by e-commerce websites by injecting skimming code to JavaScript libraries they provide. This enables all websites embedded with the script to load the skimming code. Targeting third-party services also helps expand their reach, allowing them to steal more data.

In Adverline’s case, code was injected into a JavaScript library for retargeting advertising. It’s an approach used by e-commerce websites where visitors are tagged so they can be delivered specific ads that could attract them back to the websites. At the time of our research, the websites embedded with Adverline’s retargeting script loaded Magecart Group 12’s skimming code, which, in turn, skims payment information entered on webpages then sends it to its remote server.


Figure 3: The malicious code injected into compromised e-commerce websites by Magecart Group 12


Figure 4: The injected malicious code in Adverline’s retargeting script, designed to load skimming code (highlighted)

Skimming Toolkit
Magecart Group 12 uses a skimming toolkit that employs two obfuscated scripts. The first script is mostly for anti-reversing while the second script is the main data-skimming code. They also include code integrity checking that detects if the script is modified. The check is done by calculating a hash value to the script section, and stops the execution of the script if it finds that it doesn’t match the original hash.


Figure 5: Snapshot of code from the script of the toolkit responsible for integrity checking (deobfuscated)

The script also constantly cleans the browser debugger console messages to deter detection and analysis. Part of its fingerprinting routine includes checking if the script is running on a mobile device (by checking the browser User-Agent) and if there are handlers that check if the browser debugger is on. The fingerprinting routines are done to confirm that the browser session is from an actual consumer.


Figure 6: Snapshot of code from one of the scripts in the toolkit responsible for fingerprinting (deobfuscated)

Skimming Payment Data
The second script, the main skimming code, first checks if they are executed on a shopping cart website by detecting related strings in the URL like “checkout,” “billing,” and “purchase,” among others. Also of note are the strings “panier,” which means “basket” in French, and “kasse,” or “checkout” in German. Figure 2 shows that most of our detections (accessing Magecart Group 12-controlled domains) were in France, with a noticeable activity in Germany.

If it detects any of the targeted strings in the URL, the script will start to perform the skimming behavior. Once any value instead of empty is entered on the webpage’s typing form, the script will copy both the form name and values keyed in by the user. Stolen payment and billing data is stored in a JavaScript LocalStorage with the key name Cache. The copied data is Base64-encoded. It also generates a random number to specify individual victims, which it reserves into LocalStorage with key name E-tag. A JavaScript event “unload” is triggered whenever the user closes or refreshes the payment webpage. The script then sends the skimmed payment data, the random number (E-tag), and the e-commerce website’s domain to a remote server through HTTP POST, with Base64 coding on the entire sent date.


Figure 7: The main payment data-skimming code used in the attack (deobfuscated)

These attacks further demonstrate the importance of securing the infrastructures used to run websites, applications, or web applications, especially those that store and manage sensitive data. Regularly patch and update software; disable, restrict, or secure outdated components or third-party plugins; and strengthen credentials or authentication mechanisms. IT and security teams should also proactively monitor their websites or applications for signs of malicious activities such as unauthorized access and modification, data exfiltration, and execution of unknown scripts.

RiskIQ’s analysis further sheds light on the correlation of Group 12’s activities to Magecart.

The following Trend Micro solutions, powered by XGen™ security, protect users and businesses by blocking the scripts and preventing access to the malicious domains:

Indicators of Compromise (IoCs):
Skimming script (SHA-256):

  • 56cca56e39431187a2bd95e53eece8f11d3cbe2ea7ee692fa891875f40f233f5
  • f1f905558c1546cd6df67504462f0171f9fca1cfe8b0348940aad78265a5ef73
  • 87ee0ae3abcd8b4880bf48781eba16135ba03392079a8d78a663274fde4060cd
  • 80e40051baae72b37fee49ecc43e8dded645b1baf5ce6166c96a3bcf0c3582ce

Related malicious domains:

  • givemejs[.]cc
  • content-delivery[.]cc
  • cdn-content[.]cc
  • deliveryjs[.]cc

 With additional insights and analysis from Yonathan Klijnsma of RiskIQ

The post New Magecart Attack Delivered Through Compromised Advertising Supply Chain appeared first on .