According to security researchers from RiskIQ and Trend Micro, cybercriminals of a new subgroup of Magecart, labeled as "Magecart Group 12," recently successfully compromised nearly 277 e-commerce websites by using supply-chain attacks.
Magecart is the same group of digital credit card skimmers which made headlines last year for carrying out attacks against some big businesses including Ticketmaster, British Airways, and Newegg.
"At the time of our research, the websites embedded with Adverline's re-targeting script loaded Magecart Group 12's skimming code, which, in turn, skims payment information entered on web pages then sends it to its remote server," Trend Micro says.What's more? Security researcher Yonathan Klijnsma at RiskIQ discovered that the skimmer code for MageCart Group 12 protects itself from de-obfuscation and analysis by performing an integrity check twice on itself.
"Magecart Group 12 uses a skimming toolkit that employs two obfuscated scripts. The first script is mostly for anti-reversing while the second script is the main data-skimming code," the researchers say.Upon infection, the data-skimming code first checks if it is executed on an appropriate shopping cart web page. It does so by detecting related strings in the URL like 'checkout,' 'billing,' 'purchase,' 'panier,' which means 'basket' in French, and 'kasse,' which means 'checkout' in German.