Dozens of Credit Card Info Skimming Scripts Infect Thousands of Sites (Apr 3, 2019)
The threat groups targeting website checkout pages with credit and debit card skimming malware, referred to collectively as Magecart, have developed new skimmers that have not been analyzed before, according to Group-IB researchers. RiskIQ researchers first reported on Magecart activity and found approximately 38 different families of skimming scripts utilized by the 12 groups that comprise Magecart. Group-IB researchers analyzed 15 of the 38 samples, which they call “JS-Sniffer,” and found that approximately 2,440 websites had been infected with a JS-Sniffer skimmer. Threat actors likely compromise the website to install the skimmer via a known vulnerability, through stolen credentials, or through a supply chain attack.
Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs. Furthermore, JS-Sniffer is available for purchase or rent on underground forums for prices ranging from $250 USD to $5,000 USD, which increases the likelihood that websites will be targeted by financially-motivate threat actors of all levels of sophistication.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.