Magecart, the same group that stole 380,000 records from British Airways, strikes again…
Today we’re going to talk about the sophisticated group of hackers behind Magecart.
But first, cybercrime has never been more rampant. We say that so much that at this point it’s become more of a platitude than a warning. But it’s true. 1.4 million phishing sites are created every month. In 2017, 90% of Enterprise businesses and 74% of SMBs reported being attacked. Cybercrime is a $1.5 trillion dollar industry.
So, how did Magecart attack Newegg for over a month without anyone noticing?
Let’s hash it out…
What is Magecart?
Let’s start with discussing card skimming, because the concept is going to be illuminating once we get into what Magecart does. A card skimmer is traditionally just a device that scans and stores payment card information. They can be used to exploit ATMs, gas pumps or pretty much any machine that accepts credit or debit cards.
Magecart has taken that concept digital.
RiskIQ has been tracking the group behind Magecart since 2015. There seems to be a little disagreement on nomenclature. RiskIQ refers to the group itself as Magecart, Volexity – the group that discovered the Newegg breach – refers to Magecart as the attack and references the group behind it. For the sake of clarity, we’re going to refer to the group as Magecart moving forward.
Then, earlier this month, Risk IQ identified another breach, this time at British Airways where around 380K customers were affected. Now, this morning, Volexity has issued its report on Magecart’s attack on Newegg.
Newegg is a popular computer hardware and electronics e-commerce retailer.
How did Magecart attack Newegg?
Let’s start with the code. This is the snippet that was responsible for the PCI theft:
I’m not going to go line-by-line through it, I’ll just focus on three. The first line dictates that all page elements should load before execution. The second line handles what data will be transmitted and when that transmission occurs, which is when a mouse button is released or a touch screen button is touched and released (accounting for the high volume of mobile users). The final line shows where the stolen data is being transmitted to.
- Create a variable named dati containing all information entered within a form titled checkout.
- Take the data captured within the dati variable and create an array by serializing the form field names and values with the serializeArray() method.
- Takes the array of data and convert it to a JSON formatted string with the JSON.stringify() method.
- Submit the JSON string to the URL https://neweggstats.com/GlobalData/ within a POST request.
Magecart hid its data exfiltration in encrypted traffic
The domain that was being used to collect the stolen PCI was registered with Namecheap on August 13th, three days before the attack is confirmed to have started. The attackers also installed an SSL certificate on the domain. This allowed it to form HTTPS connections and obfuscate the data that was being sent.
This is common practice for Magecart, it regularly registers target-specific domains and uses them to hide within the normal encrypted traffic for their targets’ sites.
This one of those places where HTTPS interception could have potentially helped to ferret out the data that was being transmitted to the attackers’ server. There’s not really a consensus on HTTPS interception (sometimes called SSL inspection), on the one hand it’s proven that it does weaken encryption. On the other, given the number of threats facing modern businesses – and the ability for those threats to hide in encrypted traffic – many feel HTTPS interception is a necessary evil. Certainly, at an Enterprise level it’s advisable.
Still, with an attacker as sophisticated as Magecart, there’s only so much that can be done. So far Magecart has victimized British Airways, Ticketmaster, Feedify and ABS-CBN. And as it continues to evolve and becomes harder to track, the risk Magecart poses is only going to grow in conjunction.
As always, leave any questions or comments below…