A Magecart skimming campaign, recently discovered, was traced back to an earlier attack in November 2021.
Two malware domains have been tracked for hosting credit card skimmer code in the light of the Magecart campaign. It appears these domains are part of a broader infrastructure for executing intrusions, Malwarebytes said in a Tuesday analysis.
“We were able to connect these two domains with a previous campaign from November 2021 which was the first instance to our knowledge of a skimmer checking for the use of virtual machines,” Jérôme Segura said. “However, both of them are now devoid of VM detection code. It’s unclear why the threat actors removed it, unless perhaps it caused more issues than benefits.”
The first evidence of the campaign’s activity suggests that the attack goes back to May 2020.
Magecart is a cybercrime syndicate comprising dozens of subgroups that specialize in cyberattacks. These attacks steal digital credit cards by injecting JavaScript code on e-commerce storefronts, mostly on checkout pages.
The operatives get access to websites either directly or via third-party services that render software to the targeted websites.
While the attacks rose to prominence in 2015 for targeting Magento e-commerce platform (the name Magecart is a portmanteau of “Magento” and “shopping cart”), they have expanded their operation and now include a WordPress plugin named WooCommerce.
According to a report published by Sucuri in April 2022, WordPress has emerged as the top CMS platform for credit card skimming malware, outpacing Magento as of July 2021, with skimmers concealed in the websites in the form of fake images and seemingly innocuous JavaScript theme files.
Further, during the first five months of 2022, 61% of known credit card skimming malware detections were traced to WordPress Websites, followed by Magento (15.6%), OpenCart (5.5%), and others (17.7%).
“Attackers follow the money, so it was only a matter of time before they shifted their focus toward the most popular e-commerce platform on the web,” Sucuri’s Ben Martin noted at the time.
Reference
https://thehackernews.com/2022/06/newly-discovered-magecart.html