Feedify becomes latest victim of the Magecart malware campaign

Magecart crew strikes again! This time they infect the infrastructure of a website push notification service.
Written by Catalin Cimpanu, Contributor

Push notification service Feedify is the latest victim of a cyber-criminal operation known as Magecart, the same that was recently identified as the culprit behind the Ticketmaster and British Airways breaches.

According to a security researcher going online by the pseudonym of Placebo, one of the company's JavaScript files was infected with malicious code that steals payment card details.

Placebo's findings were confirmed yesterday by RiskIQ security researcher Yonathan Klijnsma and infosec pundit Kevin Beaumont.

The malicious code was added to a file named feedbackembad-min-1.0.js, Placebo told ZDNet in an interview.

Also: 7 tips for SMBs to improve data security TechRepublic

Feedify provides push notification services for online websites. Companies can embed Feedify JavaScript libraries on their sites, which then ask users for permissions to receive desktop notifications for whenever the site publishes new content. These sites --the Feedify customers-- can push notifications through the Feedify backend to their respective users.

The Magecart group added their malicious code to one of the files that Feedify customers had embedded on their sites.

The Feedify website claims the company has over 4,000 customers, but a search with the PublicWWW service shows that this particular library was only embedded on 250 to 300 sites.

Klijnsma says that data obtained through RiskIQ's PassiveTotal platform allowed his company to record when hackers changed the content of that particular file.

"They've been affected by Magecart since Friday, August 17 2018 @ 16:51:01 GMT as we recorded it," Klijnsma told ZDNet.

Also: Best Home Security Devices for 2018 CNET

Security researcher Placebo said he notified Feedify on September 11 and the malicious code was removed the same day.

But over the course of the last 24 hours, the same file was compromised and edited to carry the Magecart code again. After Feedify intervened to remove the code, the Magecart crew re-added their code once to the file for the third time.

At the time of this article's publication, the feedbackembad-min-1.0.js was, once again, infected with the Magecart card-stealing code.

Feedify did not respond to a request for comment from ZDNet.

Magecart, the group behind the Feedify hack, has been active since 2015. For the first two years, the group has gone after Magento online stores, primarily.

They would use old vulnerabilities to break into e-commerce sites and place malicious code that collected payment card details, which would later siphon off to their own servers.

The group gradually changed tactics in late 2017 and early 2018, when they began going after major services, and especially hosted web infrastructure.

It's most well-known hack was when they breached the Inbenta chat service and deployed card-stealing code along with the Inbenta chat widget on countless of sites, the biggest of which was Ticketmaster.

These are 2018's biggest hacks, leaks, and data breaches

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Editorial standards