Great and proven techniques will always be noticed by someone as successful as Magecart Group. Hiding the code inside image headers or image code injection is a known handy work of Magecart that has been observed as early as 2015. However, they may have been active as early as 2014, based on the creation of domains used as part of the reshipping scheme. Magecart consists of at least six different groups; it has impacted thousands of customers and compromised 6,400+ sites. With the current pandemic, confirmed cases in Europe second to the United States, people are still confined in their houses and perform much of the purchases online. The resent trend paved the way to Magecart Group 9 to surface and do their scheme and with a recently reported supply chain attack link to Magecart Group 9.
How does their method work?
First, Magecart chooses its target. They then study the exploited application, in this case, WooCommerce plugin for WordPress. As e-commerce is becoming more aware of this type of attack, Magecart learned their target and devised a way to embed their skimmer code into their targets’ website. A POST request then collects form content through a malicious code injected in an image.
Known factors why this latest code injection act is linked to Magecart Group 9
- Domain magentorates.com used this EXIF metadata has the same Bulgarian host, same registrar, and was registered within a week of magerates.com, domain server located in Romania, and was part of a VPN provider based in Lithuania named Time4VPS.
- Obfuscated code is added using the WiseLopp PHP JS obfuscator library.
- Magerates.com is registered under [email protected], which also has other skimmer domains, and several used via another ingenious evasion technique in the form of WebSockets.
- Used steganography to hide the skimming code.