Researchers at the Chinese IT firm Qihoo 360 Netlab write in a blog that this attack, which has been ongoing for about five months, has affected sites that sell a range of consumer goods, including high-end handbags, mountain bikes, baby products, wine and electronics.
This scheme involves a malicious domain name called magento-analytics[.]com, which Netlab researchers first noticed in October 2018 and have been tracking ever since. The attackers are apparently trying to disguise themselves by using a name that closely resembles Magento, a content systems management platform owned by Adobe and used by thousands of online retailers.
While Netlab doesn't mention Magecart in its report, the new attack it describes bears all the hallmarks of the group, says Yonathan Klijnsma, a threat researcher at RiskIQ who has been tracking Magecart and skimmer attacks over the last several months.
"It is exactly the same," Klijnsma tells Information Security Media Group. "This isn't a new style of attack; it's just another skimmer. The skimmer used here comes from a kit you can buy to start your web-skimming empire. We've seen the same code on a lot of other websites but served from many different domains because of the skimmer's accessibility."
Researchers believe Magecart-related groups have been responsible for attacks against British Airways, Ticketmaster, Newegg and other sites (see: Magecart Cybercrime Groups Harvest Payment Card Data).
Payment Sites in the Crosshairs
These tools work in much the same way as a credit card skimmer. But instead of physically attaching a device to an ATM, a JS sniffer uses a few lines of code injected onto an e-commerce site to skim data that consumers use to buy goods. The malware is available for purchase for $250 to $5,000 on underground forums, the Group-IB analysis found.
At the heart of this new attack is the magento-analytics[.]com domain that Netlab researchers have tracked for several months. Originally registered in Panama, the IP address has moved several times to such far-flung locations as Arizona, Moscow and Hong Kong, according to the research.
From a regular browser, the magento-analytics[.]com domain returns a 403 page, and a Google search doesn't produce any answers either. But Netlab researchers were able to track the domain and study it.
The legitimate Magento platform is a frequent target of Magecart and other groups due to its popularity with online retailers, according to research published by RiskIQ and Group-IB. One of the skimmers that these groups use is called MagentoName because it is designed to take advantage of vulnerabilities in older versions of the Magento content management system.
"For the most part, these attacks are relatively easy to undertake with a low bar of entry in terms of criminal sophistication," Klijnsma of RiskIQ says. He urges online retailers to update and patch their content management platforms to avoid these types of attacks.