A new security breach involving the Magecart malware came to light today, this time involving a US web company named Shopper Approved that provides a "review widget" that other companies can embed on their sites and collect opinions and ratings from customers.
This incident took place on September 15, according to a report from RisqIQ, the cyber-security firm who detected it.
RisqIQ says a hacker group gained access to Shopper Approved's server infrastructure and planted malicious code inside a file located at https://shopperapproved.com/seals/certificate.js.
This is one of the files that was loaded on numerous third-party sites as part of the Shopper Approved customer rating widget.
The malicious code planted inside this legitimate file contained features that collected information entered in checkout forms and sent the data to a remote server, located at info-stat.ws.
RisqIQ says this was the same server that was used in the hack of Feedify, another company that provides an embeddable widget, and which was also compromised with the Magecart malware in mid-September.
But this time around, the infection didn't last weeks, as in the Feedify case, but only two days. RisqIQ contacted Shopper Approved, who removed the code the next Monday, on September 17.
RisqIQ and Shopper Approved said that while the widget was normally loaded on thousands of sites, because the hack was detected in its early stages, the payment card skimmer code only appeared on "a small percentage of the checkout pages."
The reason why the hack was more limited in nature when compared to previous Magecart incidents was that most Shopper Approved customers didn't load the rating widget on their store checkout page, and because the actual skimmer code only triggered on checkout pages that included certain keywords in the checkout URL.
In a message on its website today, Shopper Approved says it already contacted the websites where the Magecart skimmer code was loaded.
"Fortunately, we were able to quickly detect and secure the code related to the incident," the company said.
"If you own an e-commerce company, it's best to remove the third-party code from your checkout pages whenever possible," said Yonathan Klijnsma, Head Researcher at RiskIQ.
The Shopper Approved incident also gave RisqIQ a good insight into the hackers' infrastructure. The company says attackers made a mistake when planting the Magecart skimmer code inside Shopper Approved's certificate.js file by copy-pasting a clean and non-obfuscated version of their code before replacing it with an obfuscated and non-readable version 15 minutes later. This gave researchers a clean look at the attacker's code, information they're now using to better track the group's malicious code on the Internet.
Magecart is an umbrella term given to several hacker groups that operate by a similar pattern by planting payment card-stealing code on legitimate sites.
In the past year, Magecart hacks have been reported at companies like Ticketmaster, British Airways, Feedify, ABS-CBN, Newegg, but also Hats.com, TechRabbit, Title Nine, and Stein Mart, Plant Therapy, Peaceful Valley Farm Supply, PPI, and Five Below. Klijnsma has publicly stated in the past weeks that this list is incomplete and should include many more companies that have not gone public or whose hacks have gone unreported by mainstream media.
- Google shuts down Google+ after API bug exposed details for over 500,000 users
- Amazon fires employee for sharing customers' email addresses
- Twitter notifies users about API bug that shared DMs with wrong devs
- Facebook says it detected security breach after traffic spike
- Apple reassures customers after teen is busted for hacking it CNET
- Why hiring more cybersecurity pros may not lead to better security TechRepublic