Online stores that have been infected with the Magecart malware --known to record and steal credit card details from checkout forms-- often get reinfected after clean-up operations, a recent report has revealed.
"In the last quarter, 1 out of 5 breached stores were infected (and cleaned) multiple times, some even up to 18 times," said Willem de Groot, a Dutch security researcher and the creator of MageReport, an online malware and vulnerability scanner for online stores.
De Groot says he's tracked Magecart-like infections on more than 40,000 domains since 2015. The researcher says that during August, September, and October, his scanner detected Magecart-like card skimming malware on over 5,400 domains.
Skimmers persisted on average for 12.7 days, but in most cases, shop owners intervened and removed the malicious code.
However, despite their best efforts, some online merchants failed to properly close hackers' entry points during clean-up operations.
He says that 21.3 percent of the cleaned shops got reinfected. A large number of reinfections occurred within the first day, or after a week, but on average, the reinfection time was 10.5 days.
"Public examples of stores battling with reinfections are TechRabbit.com (2 times), Kitronik.co.uk (4 times) and Zapals.com (4 times)," de Groot said. Feedify can also be added to this list, being also reinfected twice after cleaning an original infection.
"All in all, it takes some very keen eyes and a lot of effort to clean all traces of a breach," he said.
De Groot also asserts that Magecart groups have gotten more professional in recent years, an assessment consistent with the findings of a 60-page report published this week by RiskIQ and Flashpoint, which shed some light into the operations of seven major Magecart criminal groups.
How to discover and destroy spyware on your smartphone (in pictures)