Two distinct efforts targeting MenuDrive, Harbortouch, and InTouchPOS services resulted in the compromising of 300 restaurants and at least 50,000 credit cards.

Researchers have discovered that Magecart operations have compromised tens of thousands of cards so far by skimming the credit card information of unwary clients using three online restaurant ordering systems. The campaigns have affected around 300 establishments that use the services.

Researchers from Recorded Future reported in a blog post this week that two distinct current Magecart efforts have infiltrated e-skimmer scripts into the online ordering portals of restaurants employing three different platforms: MenuDrive, Harbortouch, and InTouchPOS. They claimed that one appeared to start in November of last year and the other in January.

According to experts at Recorded Future’s Insikt Group, “Across all three platforms, at least 311 restaurants have been infected with Magecart e-skimmers, a number that is certain to climb with further analysis.”

Cybercriminals that utilise card-skimming technologies to steal credentials from payment cards used at point-of-sale (POS) or e-commerce systems are referred to as “magecart” in general. Usually, they end up selling these stolen passwords on dark web hacker sites.

Researchers from Recorded Future remarked that the infections on the restaurants’ websites infected by the two campaigns “frequently result in the exposing of consumers’ payment card data and PII (their billing information and contact information)”.

Additional than 50,000 compromised credit card details from the campaigns have already been found by researchers, and they anticipate that more stolen data will be shared in the future.

Campaign Specifics

Researchers discovered that the same Magecart attacker targeted MenuDrive and Harbortouch, launching a campaign that infected 80 restaurants using MenuDrive and 74 using Harbortouch with e-skimmers.

They wrote in the post, “This campaign presumably started no later than January 18, 2022, and as of this report, a part of the establishments remained infected.” Researchers identified the fraudulent domain used for the campaign as authorizen[.]net, but they said it has been blocked since May 26.

Researchers discovered a another, unrelated Magecart attack that targeted InTouchPOS even earlier, starting no later than Nov. 12, 2021. In that case, they claimed that 157 restaurants using the platform were affected by e-skimmers, some of which are still operational, and that the campaign’s related malicious domains, and, are still live.

Additionally, according to Recorded Future, 400 e-commerce websites that deal in various types of transactions have been targeted by cybercriminals since May 2020. The campaign targeting InTouchPOS uses tactics and indicators of compromise that are similar to those used in other cybercriminal activity. As of June 21, researchers reported that more than 30 of the affected sites in the associated campaign are still hacked.

Low-Hanging Fruit

The hundreds of smaller online platforms that support local restaurants continue to be a valuable target for cybercriminals, researchers noted. This is despite the fact that centralised restaurant ordering platforms like Uber Eats and DoorDash dominate the market for such systems and are much more well-known than the ones affected by the campaigns.

They said that “even small-scale platforms may have hundreds of restaurants as clients,” meaning that attacking a smaller platform could reveal a large number of online transactions and payment-card information. According to analysts, these platforms are in fact easy targets for attackers who prefer to “seek the largest return for the least amount of work.”

According to one security expert, e-commerce websites generally struggle to keep their sites secure and frequently include weak code from supply-chain partners or third parties that is simple for hackers to infiltrate and may have unintended consequences.

Kim DeCarlis, chief marketing officer at cybersecurity firm PerimeterX, wrote in an email to Threatpost, “This is another example of the web attack lifecycle—the cyclical and continuous nature of cyberattacks—where a data breach on one site, perhaps as a result of a Magecart attack, fuels carding, credential stuffing, or account takeover attacks on another site.”