#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security Posture Management

Magecart | Breaking Cybersecurity News | The Hacker News

New Magecart Campaign Alters 404 Error Pages to Steal Shoppers' Credit Cards

New Magecart Campaign Alters 404 Error Pages to Steal Shoppers' Credit Cards

Oct 10, 2023 Website Security / Hacking
A sophisticated  Magecart  campaign has been observed manipulating websites' default 404 error page to conceal malicious code in what's been described as the latest evolution of the attacks. The activity, per Akamai, targets Magento and WooCommerce websites, with some of the victims belonging to large organizations in the food and retail industries. "In this campaign, all the victim websites we detected were directly exploited, as the malicious code snippet was injected into one of their first-party resources," Akamai security researcher Roman Lvovsky  said  in a Monday analysis. This involves inserting the code directly into the HTML pages or within one of the first-party scripts that were loaded as part of the website. The attacks are realized through a multi-stage chain, in which the loader code retrieves the main payload during runtime in order to capture the sensitive information entered by visitors on checkout pages and exfiltrate it to a remote server. &
Magento, WooCommerce, WordPress, and Shopify Exploited in Web Skimmer Attack

Magento, WooCommerce, WordPress, and Shopify Exploited in Web Skimmer Attack

Jun 05, 2023 Website Security / Magecart
Cybersecurity researchers have unearthed a new ongoing  Magecart -style web skimmer campaign that's designed to steal personally identifiable information (PII) and credit card data from e-commerce websites. A noteworthy aspect that sets it apart from other Magecart campaigns is that the hijacked sites further serve as "makeshift" command-and-control (C2) servers, using the cover to facilitate the distribution of malicious code without the knowledge of the victim sites. Web security company Akamai said it identified victims of varying sizes in North America, Latin America, and Europe, potentially putting the personal data of thousands of site visitors at risk of being harvested and sold for illicit profits. "Attackers employ a number of evasion techniques during the campaign, including obfuscating [using] Base64 and masking the attack to resemble popular third-party services, such as Google Analytics or Google Tag Manager," Akamai security researcher Roman Lv
cyber security

Cracking the Code to Vulnerability Management

websitewiz.ioVulnerability Management / Cloud Security
Vulnerability management in the cloud is no longer just about patches and fixes. In this latest report, the Wiz Security Research team put vulnerability management theory into practice using recently identified vulnerabilities as examples. Get the FREE report
This Free Solution Provides Essential Third-Party Risk Management for SaaS

This Free Solution Provides Essential Third-Party Risk Management for SaaS

Nov 30, 2023SaaS Security / Risk Management
Wing Security recently announced that basic third-party risk assessment is  now available as a free product . But it raises the questions of how SaaS is connected to third-party risk management (TPRM) and what companies should do to ensure a proper SaaS-TPRM process is in place. In this article we will share 5 tips to manage the third-party risks associated with SaaS, but first...  What exactly is Third-Party Risk Management in SaaS? SaaS is rapidly growing, offering businesses convenience, swift implementations, and valuable opportunities. However, this growth introduces a security challenge where risks arise from the interconnected nature of SaaS supply chains. It is clear that before onboarding a new contractor or vendor, we need due diligence, security checks, and referrals. However, we now understand that in the SaaS domain, applications are, in fact, the go-to vendor of choice.  Let's explain: Any employee can very easily connect SaaS vendors to company data, granting them pe
Attention Online Shoppers: Don't Be Fooled by Their Sleek, Modern Looks — It's Magecart!

Attention Online Shoppers: Don't Be Fooled by Their Sleek, Modern Looks — It's Magecart!

Apr 28, 2023 Online Security / Website Hacking
An ongoing  Magecart  campaign has attracted the attention of cybersecurity researchers for leveraging realistic-looking fake payment screens to capture sensitive data entered by unsuspecting users. "The threat actor used original logos from the compromised store and customized a web element known as a modal to perfectly hijack the checkout page," Jérôme Segura, director of threat intelligence at Malwarebytes,  said . "The remarkable thing here is that the skimmer looks more authentic than the original payment page." The term  Magecart  is a catch-all that refers to several cybercrime groups which employ online skimming techniques to steal personal data from websites – most commonly, customer details and payment information on e-commerce websites. The name originates from the groups' initial targeting of the Magento platform. According to  data  shared by Sansec, the first Magecart-like attacks were observed as early as 2010. As of 2022, more than 70,000 sto
Magecart Hacks Food Ordering Systems to Steal Payment Data from Over 300 Restaurants

Magecart Hacks Food Ordering Systems to Steal Payment Data from Over 300 Restaurants

Jul 25, 2022
Three restaurant ordering platforms MenuDrive, Harbortouch, and InTouchPOS were the target of two Magecart skimming campaigns that resulted in the compromise of at least 311 restaurants. The trio of breaches has led to the theft of more than 50,000 payment card records from these infected restaurants and posted for sale on the dark web. "The online ordering platforms MenuDrive and Harbortouch were targeted by the same Magecart campaign, resulting in e-skimmer infections on 80 restaurants using MenuDrive and 74 using Harbortouch," cybersecurity firm Recorded Future  revealed  in a report. "InTouchPOS was targeted by a separate, unrelated Magecart campaign, resulting in e-skimmer infections on 157 restaurants using the platform." Magecart actors have a history of  infecting e-commerce websites  with JavaScript skimmers to steal online shoppers' payment card data, billing information, and other personally identifiable information (PII). The first set of act
Newly Discovered Magecart Infrastructure Reveals the Scale of Ongoing Campaign

Newly Discovered Magecart Infrastructure Reveals the Scale of Ongoing Campaign

Jun 22, 2022
A newly discovered Magecart skimming campaign has its roots in a previous attack activity going all the way back to November 2021. To that end, it has come to light that  two   malware  domains identified as hosting credit card skimmer code — "scanalytic[.]org" and "js.staticounter[.]net" — are part of a broader infrastructure used to carry out the intrusions, Malwarebytes said in a Tuesday analysis. "We were able to connect these two domains with a  previous campaign from November 2021  which was the first instance to our knowledge of a skimmer checking for the use of virtual machines," Jérôme Segura  said . "However, both of them are now devoid of VM detection code. It's unclear why the threat actors removed it, unless perhaps it caused more issues than benefits." The earliest evidence of the campaign's activity, based on the additional domains uncovered, suggests it dates back to at least May 2020. Magecart  refers to a cybercrim
Critical Magento 0-Day Vulnerability Under Active Exploitation — Patch Released

Critical Magento 0-Day Vulnerability Under Active Exploitation — Patch Released

Feb 14, 2022
Adobe on Sunday rolled out patches to contain a critical security vulnerability impacting its Commerce and Magento Open Source products that it said is being actively exploited in the wild. Tracked as  CVE-2022-24086 , the shortcoming has a CVSS score of 9.8 out of 10 on the vulnerability scoring system and has been characterized as an " improper input validation " issue that could be weaponized to achieve arbitrary code execution.  It's also a pre-authenticated flaw, meaning it could be exploited without requiring any credentials. Additionally, the California-headquartered company pointed out that the vulnerability can be exploited by an attacker with non-administrative privileges. The flaw affects Adobe Commerce and Magento Open Source 2.4.3-p1 and earlier versions as well as 2.3.7-p2 and earlier versions. Adobe Commerce 2.3.3 and lower are not vulnerable. "Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Ad
New Payment Data Stealing Malware Hides in Nginx Process on Linux Servers

New Payment Data Stealing Malware Hides in Nginx Process on Linux Servers

Dec 03, 2021
E-commerce platforms in the U.S., Germany, and France have come under attack from a new form of malware that targets Nginx servers in an attempt to masquerade its presence and slip past detection by security solutions. "This novel code injects itself into a host Nginx application and is nearly invisible," Sansec Threat Research team  said  in a new report. "The parasite is used to steal data from eCommerce servers, also known as 'server-side Magecart.'"  A free and open-source software, Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy, and HTTP cache. NginRAT, as the advanced malware is called, works by hijacking a host Nginx application to embed itself into the webserver process. The remote access trojan itself is delivered via  CronRAT , another piece of malware the Dutch cybersecurity firm disclosed last week as hiding its malicious payloads in cron jobs scheduled to execute on February 31st, a non-existent ca
CronRAT: A New Linux Malware That’s Scheduled to Run on February 31st

CronRAT: A New Linux Malware That's Scheduled to Run on February 31st

Nov 26, 2021
Researchers have unearthed a new remote access trojan (RAT) for Linux that employs a never-before-seen stealth technique that involves masking its malicious actions by scheduling them for execution on February 31st, a non-existent calendar day. Dubbed CronRAT, the sneaky malware "enables  server-side Magecart data theft  which bypasses browser-based security solutions," Sansec Threat Research said. The Dutch cybersecurity firm said it found samples of the RAT on several online stores, including an unnamed country's largest outlet. CronRAT's standout feature is its ability to leverage the  cron  job-scheduler utility for Unix to hide malicious payloads using task names programmed to execute on February 31st. Not only does this allow the malware to evade detection from security software, but it also enables it to launch an array of attack commands that could put Linux eCommerce servers at risk. "The CronRAT adds a number of tasks to crontab with a curious date
Magecart Hackers Hide Stolen Credit Card Data Into Images for Evasive Exfiltration

Magecart Hackers Hide Stolen Credit Card Data Into Images for Evasive Exfiltration

Jul 09, 2021
Cybercrime actors part of the Magecart group have latched on to a new technique of obfuscating the malware code within  comment blocks  and encoding stolen credit card data into images and other files hosted on the server, once again demonstrating how the attackers are  continuously improving  their infection chains to escape detection. "One tactic that some Magecart actors employ is the dumping of swiped credit card details into image files on the server [to] avoid raising suspicion," Sucuri Security Analyst, Ben Martin,  said  in a write-up. "These can later be downloaded using a simple  GET request  at a later date." Magecart is the umbrella term given to multiple groups of cybercriminals targeting e-commerce websites with the goal of plundering credit card numbers by injecting malicious JavaScript skimmers and selling them on the black market. Sucuri attributed the attack to  Magecart Group 7  based on overlaps in the tactics, techniques, and procedures (TT
Magecart Hackers Now hide PHP-Based Backdoor In Website Favicons

Magecart Hackers Now hide PHP-Based Backdoor In Website Favicons

May 14, 2021
Cybercrime groups are distributing malicious PHP web shells disguised as a favicon to maintain remote access to the compromised servers and inject JavaScript skimmers into online shopping platforms with an aim to steal financial information from their users. "These web shells known as Smilodon or Megalodon are used to dynamically load JavaScript skimming code via server-side requests into online stores," Malwarebytes Jérôme Segura  said  in a Thursday write-up. "This technique is interesting as most client-side security tools will not be able to detect or block the skimmer." Injecting web skimmers on e-commerce websites to steal credit card details is a tried-and-tested modus operandi of Magecart, a consortium of different hacker groups who target online shopping cart systems. Also known as formjacking attacks, the skimmers take the form of JavaScript code that the operators stealthily insert into an e-commerce website, often on payment pages, with an intent to c
Over 2800 e-Shops Running Outdated Magento Software Hit by Credit Card Hackers

Over 2800 e-Shops Running Outdated Magento Software Hit by Credit Card Hackers

Nov 11, 2020
A wave of cyberattacks against retailers running the Magento 1.x e-commerce platform earlier this September has been attributed to one single group, according to the latest research. "This group has carried out a large number of diverse Magecart attacks that often compromise large numbers of websites at once through supply chain attacks, such as the Adverline incident , or through the use of exploits such as in the September Magento 1 compromises," RiskIQ said in an analysis published today. Collectively called Cardbleed , the attacks targeted at least 2,806 online storefronts running Magento 1.x, which reached end-of-life as of June 30, 2020. Injecting e-skimmers on shopping websites to steal credit card details is a tried-and-tested modus operandi of Magecart, a consortium of different hacker groups who target online shopping cart systems. These virtual credit card skimmers, also known as formjacking attacks , are typically JavaScript code that the operators stealth
New Web-Based Credit Card Stealer Uses Telegram Messenger to Exfiltrate Data

New Web-Based Credit Card Stealer Uses Telegram Messenger to Exfiltrate Data

Sep 02, 2020
Cybercriminal groups are constantly evolving to find new ways to pilfer financial information, and the latest trick in their arsenal is to leverage the messaging app Telegram to their benefit. In what's a new tactic adopted by Magecart groups, the encrypted messaging service is being used to send stolen payment details from compromised websites back to the attackers. "For threat actors, this data exfiltration mechanism is efficient and doesn't require them to keep up infrastructure that could be taken down or blocked by defenders," Jérôme Segura of Malwarebytes said in a Monday analysis . "They can even receive a notification in real time for each new victim, helping them quickly monetize the stolen cards in underground markets." The TTP was first publicly documented by security researcher @AffableKraut in a Twitter thread last week using data from Dutch cybersecurity firm Sansec. Injecting e-skimmers on shopping websites by exploiting a known
e-Commerce Site Hackers Now Hiding Credit Card Stealer Inside Image Metadata

e-Commerce Site Hackers Now Hiding Credit Card Stealer Inside Image Metadata

Jun 29, 2020
In what's one of the most innovative hacking campaigns, cybercrime gangs are now hiding malicious code implants in the metadata of image files to covertly steal payment card information entered by visitors on the hacked websites. "We found skimming code hidden within the metadata of an image file (a form of steganography) and surreptitiously loaded by compromised online stores," Malwarebytes researchers said last week. "This scheme would not be complete without yet another interesting variation to exfiltrate stolen credit card data. Once again, criminals used the disguise of an image file to collect their loot." The evolving tactic of the operation, widely known as web skimming or a Magecart attack, comes as bad actors are finding different ways to inject JavaScript scripts, including misconfigured AWS S3 data storage buckets and exploiting content security policy to transmit data to a Google Analytics account under their control. Using Steganography
Magecart Targets Emergency Services-related Sites via Insecure S3 Buckets

Magecart Targets Emergency Services-related Sites via Insecure S3 Buckets

Jun 09, 2020
Hacking groups are continuing to leverage misconfigured AWS S3 data storage buckets to insert malicious code into websites in an attempt to swipe credit card information and carry out malvertising campaigns. In a new report shared with The Hacker News, cybersecurity firm RiskIQ said it identified three compromised websites belonging to Endeavor Business Media last month that are still hosting JavaScript skimming code — a classic tactic embraced by Magecart , a consortium of different hacker groups who target online shopping cart systems. The unpatched affected websites host emergency services-related content and chat forums catering to firefighters, police officers, and security professionals, per RiskIQ. www[.]officer[.]com www[.]firehouse[.]com www[.]securityinfowatch[.]com The cyber firm said it hasn't heard back from Endeavor Business Media despite reaching out to the company to address the issues. As a consequence, it's working with Swiss non-profit cyber
Magecart Hackers Inject iFrame Skimmers in 19 Sites to Steal Payment Data

Magecart Hackers Inject iFrame Skimmers in 19 Sites to Steal Payment Data

Apr 02, 2020
Cybersecurity researchers today uncovered an ongoing new Magecart skimmer campaign that so far has successfully compromised at least 19 different e-commerce websites to steal payment card details of their customers. According to a report published today and shared with The Hacker News, RiskIQ researchers spotted a new digital skimmer, dubbed " MakeFrame ," that injects HTML iframes into web-pages to phish payment data. MakeFrame attacks have been attributed to Magecart Group 7 for its approach of using the compromised sites to host the skimming code, load the skimmer on other compromised websites, and siphon off the stolen data. Magecart attacks usually involve bad actors compromising a company's online store to siphon credit card numbers and account details of users who're making purchases on the infected site by placing malicious JavaScript skimmers on payment forms. It's the latest in a series of attacks by Magecart, an umbrella term for eight diffe
TrueFire Guitar Tutoring Website Suffers Magecart-style Credit Card Breach

TrueFire Guitar Tutoring Website Suffers Magecart-style Credit Card Breach

Mar 17, 2020
Online guitar tutoring website TrueFire has apparently suffered a 'Magecart' style data breach incident that may have potentially led to the exposure of its customers' personal information and payment card information. TrueFire is one of the popular guitar tutoring websites with over 1 million users, where wanna-be-guitarists pay online to access a massive library of over 900 courses and 40,000 video lessons. Though TrueFire hasn't yet publicly disclosed or acknowledged the breach, The Hacker News learned about the incident after a few affected customers posted online  details of a notification they received from the company last week. The Hacker News also found a copy of the same ' Notice Of Data Breach ' uploaded recently to the website of Montana Department of Justice , specifically on a section where the government shares information on data breaches that also affect Montana residents. Confirming the breach, the notification reveals that an attack
Interpol Arrests 3 Indonesian Credit Card Hackers for Magecart Attacks

Interpol Arrests 3 Indonesian Credit Card Hackers for Magecart Attacks

Jan 25, 2020
The Indonesian National Police in a joint press conference with Interpol and cybersecurity firm Group-IB earlier today announced the arrest of three Magecart-style Indonesian hackers who had compromised hundreds of international e-commerce websites and stolen payment card details of their online shoppers. Dubbed ' Operation Night Fury ,' the investigation was led by Interpol's ASEAN Cyber Capability Desk, a joint initiative by law enforcement agencies of Southeast Asian countries to combat cybercrime. According to the press conference, all three accused (23, 26, and 35 years old) were arrested last year in December from Jakarta and Yogyakarta and charged with criminal laws related to the data theft, fraud, and unauthorized access. "The operation is still ongoing in the other five ASEAN countries with which the intelligence was also shared. This case marks the first successful multi-jurisdictional operation against the operators of JavaScript-sniffers in the re
Magecart Hackers Compromise 80 More eCommerce Sites to Steal Credit Cards

Magecart Hackers Compromise 80 More eCommerce Sites to Steal Credit Cards

Aug 28, 2019
Cybersecurity researchers have discovered over 80 Magecart compromised e-commerce websites that were actively sending credit card information of online shoppers to the attackers-controlled servers. Operating their businesses in the United States, Canada, Europe, Latin America, and Asia, many of these compromised websites are reputable brands in the motorsports industry and high fashion, researchers at Aite Group and Arxan Technologies revealed today in a report shared with The Hacker News. In a world that's growing increasingly digital, Magecart attacks have emerged as a key cybersecurity threat to e-commerce websites. Magecart is an umbrella term given to different cybercriminal groups that are specialized in secretly implanting online credit card skimmers on compromised e-commerce websites with an intent to steal payment card details of their customers. These virtual credit card skimmers, also known as formjacking attack , are basically JavaScript code that hackers
Cybersecurity Resources