Advertising network compromised to deliver credit card stealing code

Hundreds of online stores confirmed to be impacted, thousands or more under investigation.

Adverline

A Paris-based online advertising company was hacked, and its infrastructure used to deliver malicious JavaScript code to online stores, code that was designed to steal payment card details entered in checkout pages.

The hack took place last year, around November 2018, when a cybercriminal group compromised the content delivery network (CDN) of Adverline, a French company that runs an advertising network with a predominantly EU clientele.

The Adverline CDN compromise, detected first by security researchers from Trend Micro, and analyzed in greater detail in a report published today by RiskIQ, is what experts call today a "Magecart attack."

Magecart attacks --also referred to as web card skimming-- take multiple forms, and the Adverline hack is one of its most complicated forms.

The simplest Magecart attacks are when hackers breach an e-commerce site and plant malicious code on its servers. The most complex ones are when hacker groups breach third-party service providers and use the infrastructure of these companies to deliver malicious code on online shops, some of which would normally be very hard to breach in the first place.

Last year, one group that RiskIQ tracked as Magecart Group 5, pioneered this tactic and was responsible for hacks at 12 third-party companies, hacks through which Group 5 delivered its malicious card stealing code to thousands of online store.

Now, RiskIQ says that a new group, which they're tracking as Magecart Group 12, appears to have copied Group 5's modus operandi and has breached Adverline to exploit its infrastructure in a similar fashion.

RiskIQ says it already confirmed hundreds of victim websites that have loaded Group 12's malicious code via the Adverline-powered ad slots. Trend Micro has put the number of affected sites at 277.

The security firm says it's still investigating the possibility of the malicious code reaching thousands of other stores.

Magecart Group 12 modus operandi

Image: Trend Micro

According to RiskIQ threat researcher Yonathan Klijnsma, the malicious code delivered through Adverline ads will look at the current page's link and search for 13 words often found in checkout URLs, such as "cart," "order," "basket," and others.

While ten terms are in English, two are French, and one is in German, suggesting that Group 12 knew that Adverline ads were most likely to be found on local European sites and have adapted their script accordingly.

RiskIQ says it's been working with AbuseCH and the ShadowServer Foundation to take down Group 12's server infrastructure, which appears to have been set up two months before the Adverline hack, in September 2018.

Currently, the domains involved in this attack have stopped working, but RiskIQ couldn't tell if they were taken down by the attackers, or by the domain registrar after they've sent an abuse report.

Adverline did not respond to a request for comment from ZDNet seeking information on how it responded to the hack, or even if it knew that its infrastructure had been breached.

End users have little options to protect themselves against Magecart attacks. While some antivirus solutions might be able to detect well-known Magecart domains, antivirus software will always be behind the eight ball when it comes to detecting new and non-public Magecart operations.

A more solid advice for end users would be to turn off JavaScript support in the browser while shopping online --as Magecart code is just plain ol' JavaScript. However, some online stores don't work properly without JavaScript, and users wouldn't be able to order any goods.

Another advice would be that users employ services that provide unique payment card numbers for one online transaction, or card numbers that are valid only for a limited amount of time.

More data breach coverage: