Magecart Skimming Tactics EvolveMalwarebytes Describes Updated Attack Techniques
In previously reported Magecart-style attacks, a malicious skimming script was injected into payment checkout pages, with credit card and personal information skimmed off and sent to a remote server, according to an analysis by Trend Micro.
“We discovered several dozen compromised websites with exactly the same pattern. All of them are running Magento version 1,” Jérôme Segura, director of threat intelligence at Malwarebytes, told Information Security Media Group.
Imitating Image File
During its recent analysis of websites running Magento 1, Malwarebytes researchers observed new PHP web shells disguised as a favicon - a url or shortcut icon, which they linked to Magento 12. The file named Magento.png attempts to pass itself off as "image/png" but does not have the proper PNG format for a valid image file.
Web shells are a type of malware encountered on websites that allow an attacker to maintain remote access and administration. "They are typically uploaded onto a web server after exploitation of a vulnerability (e.g., SQL injection)," Segura notes.
Segura adds: “Online shops can detect this type of malware with a server-side scanner, while on the client-side, you would need to have access to the DOM to detect the malicious code being injected. One option here is to use a browser extension with heuristic capabilities.”
DOM stands for Document Object Model, which is a cross-platform and language-independent interface that treats an XML or HTML document as a tree structure wherein each node is an object representing a part of the document.
Magento Widely Used
Adobe Magento is one of the world's most widely used e-commerce platforms, with about 250,000 users, according to Adobe's website.
Adobe reported in November 2019 that a vulnerability in the Magento e-commerce marketplace was exploited by a third party to access account information (see: Magento Marketplace Suffers Data Breach, Adobe Warns).