One in five Magecart-infected stores get reinfected within days

A large number of reinfections take place within a day or week. Average reinfection time is 10.5 days.

Online stores that have been infected with the Magecart malware --known to record and steal credit card details from checkout forms-- often get reinfected after clean-up operations, a recent report has revealed.

"In the last quarter, 1 out of 5 breached stores were infected (and cleaned) multiple times, some even up to 18 times," said Willem de Groot, a Dutch security researcher and the creator of MageReport, an online malware and vulnerability scanner for online stores.

De Groot says he's tracked Magecart-like infections on more than 40,000 domains since 2015. The researcher says that during August, September, and October, his scanner detected Magecart-like card skimming malware on over 5,400 domains.

Skimmers persisted on average for 12.7 days, but in most cases, shop owners intervened and removed the malicious code.

ZDNet: Black Friday 2018 deals: Business Bargain Hunter's top picks | Cyber Monday 2018 deals: Business Bargain Hunter's top picks

However, despite their best efforts, some online merchants failed to properly close hackers' entry points during clean-up operations.

He says that 21.3 percent of the cleaned shops got reinfected. A large number of reinfections occurred within the first day, or after a week, but on average, the reinfection time was 10.5 days.

magecart-reinfections.png
Image: Willem de Groot

"Public examples of stores battling with reinfections are TechRabbit.com (2 times), Kitronik.co.uk (4 times) and Zapals.com (4 times)," de Groot said. Feedify can also be added to this list, being also reinfected twice after cleaning an original infection.

De Groot, who just yesterday spotted a Magecart infection on Alex Jones' Infowars online store, blames the reinfections on a combination of factors.

"This shows that countermeasures taken by merchants and their contracted security firms often fail. There are multiple reasons for this," he said. The expert listed:

  • Magecart operatives often litter a hacked store with backdoors and rogue admin accounts.
  • Magecart operatives use reinfection mechanisms such as database triggers and hidden periodic tasks to reinstate their payload.
  • Magecart operatives use obfuscation techniques to make their presence indistinguishable from legitimate code.
  • Magecart operatives utilize unpublished security exploits (aka 0days) to hack sites, exploits for which there are no patches.

"All in all, it takes some very keen eyes and a lot of effort to clean all traces of a breach," he said.

De Groot also asserts that Magecart groups have gotten more professional in recent years, an assessment consistent with the findings of a 60-page report published this week by RiskIQ and Flashpoint, which shed some light into the operations of seven major Magecart criminal groups.

Related cybersecurity coverage:

Best Black Friday 2018 deals: