Magecart attacks have lessened, but the few left becomes more elusive

June 27, 2022
Magecart Cyberattacks Ecommerce Credit Card Skimmer Compromised Domain WordPress WooCommerce

Magecart attacks have drastically decreased over the past months this year. However, some of its operators that carry out such attacks have managed to increase their elusiveness since standard security solutions have difficulty detecting the campaign.

Some analysts discovered that the client-side Magecart attacks are still ongoing with its operations, and the market for stolen credit card data is still in-demand.

Last June, a cybersecurity report disclosed a new credit card skimmer domain. Another researcher revealed an allegedly malicious host that has connections with a compromised e-commerce website. After several analyses, the allegation of the malicious host was confirmed to be attributed to a more effective campaign operated by an unidentified threat group.

 

The skimming campaign from last year is still connected to the Magecart activities.

 

The stealthy Magecart attacks still have ties with the campaign from last year, in which the skimmer could detect VMs. However, the operators removed the VM code the previous year from their attack, but the new malware includes various naming schemes for a more effective campaign.

The researchers also found numerous compromised domains through the validation of the skimming activities. From a single hash, the skimmers have been linked to a chain of campaigns that dates back a couple of years ago. The malicious threat actors also used three themes, one of which is the JS libraries, to obfuscate the skimmer.

In terms of cyberattacks, WordPress webpages with the WooCommerce plugin attract numerous threat actors, making it a more attractive target than Magento. The most recent Magecart attack was spotted by researchers earlier this year, in which the adversaries attacked over 500 e-commerce sites operating an outdated version of Magento. The single malware used by the actors infected nearly 400 websites on the same day of the intrusion.

The low visibility of server-side attacks can cause the decreasing volume of Magecart attacks since only a few skimming operators have access to PHP-based skimmers. Additionally, digital wallets, especially cryptocurrencies, are more profitable than credit cards. This detail is the only reason cybercriminals tend to attack crypto wallets rather than credit cards.

About the author

Leave a Reply