Magecart | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have discovered a credit card skimmer that's concealed within a fake  Meta Pixel tracker script  in an attempt to evade detection. Sucuri said that the malware is injected into websites through tools that allow for custom code, such as WordPress plugins like  Simple Custom CSS and JS  or the " Miscellaneous Scripts " section of the Magento admin panel. "Custom script editors are popular with bad actors because they allow for external third party (and malicious) JavaScript and can easily pretend to be benign by leveraging naming conventions that match popular scripts like Google Analytics or libraries like JQuery," security researcher Matt Morrow  said . The bogus Meta Pixel tracker script identified by the web security company contains similar elements as its legitimate counterpart, but a closer examination reveals the addition of JavaScript code that substitutes references to the domain "connect.facebook[.]net" with "

Threat hunters have discovered a rogue WordPress plugin that's capable of creating bogus administrator users and injecting malicious JavaScript code to steal credit card information. The skimming activity is part of a  Magecart campaign  targeting e-commerce websites, according to Sucuri. "As with many other malicious or fake WordPress plugins it contains some deceptive information at the top of the file to give it a veneer of legitimacy," security researcher Ben Martin  said . "In this case, comments claim the code to be 'WordPress Cache Addons.'" Malicious plugins typically find their way to WordPress sites via either a  compromised admin user  or the  exploitation of security flaws  in another plugin already installed on the site. Post installation, the plugin replicates itself to the  mu-plugins  (or must-use plugins) directory so that it's automatically enabled and conceals its presence from the admin panel. "Since the only way to re

The  ransomware industry surged in 2023  as it saw an alarming 55.5% increase in victims worldwide, reaching a staggering 5,070.  But 2024 is starting off showing a very different picture.  While the numbers skyrocketed in Q4 2023 with 1309 cases, in Q1 2024, the ransomware industry was down to 1,048 cases. This is a 22% decrease in ransomware attacks compared to Q4 2023. Figure 1: Victims per quarter There could be several reasons for this significant drop.  Reason 1: The Law Enforcement Intervention Firstly, law enforcement has upped the ante in 2024 with actions against both LockBit and ALPHV. The LockBit Arrests In February, an international operation named "Operation Cronos" culminated in the arrest of at least three associates of the infamous LockBit ransomware syndicate in Poland and Ukraine.  Law enforcement from multiple countries collaborated to take down LockBit's infrastructure. This included seizing their dark web domains and gaining access to their backend sys

The Chinese-speaking threat actors behind  Smishing Triad  have been observed masquerading as the United Arab Emirates Federal Authority for Identity and Citizenship to send malicious SMS messages with the ultimate goal of gathering sensitive information from residents and foreigners in the country. "These criminals send malicious links to their victims' mobile devices through SMS or iMessage and use URL-shortening services like Bit.ly to randomize the links they send," Resecurity  said  in a report published this week. "This helps them protect the fake website's domain and hosting location." Smishing Triad was  first documented  by the cybersecurity company in September 2023, highlighting the group's use of compromised Apple iCloud accounts to send smishing messages for carrying out identity theft and financial fraud.  The threat actor is also known to offer ready-to-use smishing kits for sale to other cybercriminals for $200 a month, alongside eng

A sophisticated  Magecart  campaign has been observed manipulating websites' default 404 error page to conceal malicious code in what's been described as the latest evolution of the attacks. The activity, per Akamai, targets Magento and WooCommerce websites, with some of the victims belonging to large organizations in the food and retail industries. "In this campaign, all the victim websites we detected were directly exploited, as the malicious code snippet was injected into one of their first-party resources," Akamai security researcher Roman Lvovsky  said  in a Monday analysis. This involves inserting the code directly into the HTML pages or within one of the first-party scripts that were loaded as part of the website. The attacks are realized through a multi-stage chain, in which the loader code retrieves the main payload during runtime in order to capture the sensitive information entered by visitors on checkout pages and exfiltrate it to a remote server. &

Cybersecurity researchers have unearthed a new ongoing  Magecart -style web skimmer campaign that's designed to steal personally identifiable information (PII) and credit card data from e-commerce websites. A noteworthy aspect that sets it apart from other Magecart campaigns is that the hijacked sites further serve as "makeshift" command-and-control (C2) servers, using the cover to facilitate the distribution of malicious code without the knowledge of the victim sites. Web security company Akamai said it identified victims of varying sizes in North America, Latin America, and Europe, potentially putting the personal data of thousands of site visitors at risk of being harvested and sold for illicit profits. "Attackers employ a number of evasion techniques during the campaign, including obfuscating [using] Base64 and masking the attack to resemble popular third-party services, such as Google Analytics or Google Tag Manager," Akamai security researcher Roman Lv

An ongoing  Magecart  campaign has attracted the attention of cybersecurity researchers for leveraging realistic-looking fake payment screens to capture sensitive data entered by unsuspecting users. "The threat actor used original logos from the compromised store and customized a web element known as a modal to perfectly hijack the checkout page," Jérôme Segura, director of threat intelligence at Malwarebytes,  said . "The remarkable thing here is that the skimmer looks more authentic than the original payment page." The term  Magecart  is a catch-all that refers to several cybercrime groups which employ online skimming techniques to steal personal data from websites – most commonly, customer details and payment information on e-commerce websites. The name originates from the groups' initial targeting of the Magento platform. According to  data  shared by Sansec, the first Magecart-like attacks were observed as early as 2010. As of 2022, more than 70,000 sto

Three restaurant ordering platforms MenuDrive, Harbortouch, and InTouchPOS were the target of two Magecart skimming campaigns that resulted in the compromise of at least 311 restaurants. The trio of breaches has led to the theft of more than 50,000 payment card records from these infected restaurants and posted for sale on the dark web. "The online ordering platforms MenuDrive and Harbortouch were targeted by the same Magecart campaign, resulting in e-skimmer infections on 80 restaurants using MenuDrive and 74 using Harbortouch," cybersecurity firm Recorded Future  revealed  in a report. "InTouchPOS was targeted by a separate, unrelated Magecart campaign, resulting in e-skimmer infections on 157 restaurants using the platform." Magecart actors have a history of  infecting e-commerce websites  with JavaScript skimmers to steal online shoppers' payment card data, billing information, and other personally identifiable information (PII). The first set of act

A newly discovered Magecart skimming campaign has its roots in a previous attack activity going all the way back to November 2021. To that end, it has come to light that  two   malware  domains identified as hosting credit card skimmer code — "scanalytic[.]org" and "js.staticounter[.]net" — are part of a broader infrastructure used to carry out the intrusions, Malwarebytes said in a Tuesday analysis. "We were able to connect these two domains with a  previous campaign from November 2021  which was the first instance to our knowledge of a skimmer checking for the use of virtual machines," Jérôme Segura  said . "However, both of them are now devoid of VM detection code. It's unclear why the threat actors removed it, unless perhaps it caused more issues than benefits." The earliest evidence of the campaign's activity, based on the additional domains uncovered, suggests it dates back to at least May 2020. Magecart  refers to a cybercrim

Adobe on Sunday rolled out patches to contain a critical security vulnerability impacting its Commerce and Magento Open Source products that it said is being actively exploited in the wild. Tracked as  CVE-2022-24086 , the shortcoming has a CVSS score of 9.8 out of 10 on the vulnerability scoring system and has been characterized as an " improper input validation " issue that could be weaponized to achieve arbitrary code execution.  It's also a pre-authenticated flaw, meaning it could be exploited without requiring any credentials. Additionally, the California-headquartered company pointed out that the vulnerability can be exploited by an attacker with non-administrative privileges. The flaw affects Adobe Commerce and Magento Open Source 2.4.3-p1 and earlier versions as well as 2.3.7-p2 and earlier versions. Adobe Commerce 2.3.3 and lower are not vulnerable. "Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Ad

E-commerce platforms in the U.S., Germany, and France have come under attack from a new form of malware that targets Nginx servers in an attempt to masquerade its presence and slip past detection by security solutions. "This novel code injects itself into a host Nginx application and is nearly invisible," Sansec Threat Research team  said  in a new report. "The parasite is used to steal data from eCommerce servers, also known as 'server-side Magecart.'"  A free and open-source software, Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy, and HTTP cache. NginRAT, as the advanced malware is called, works by hijacking a host Nginx application to embed itself into the webserver process. The remote access trojan itself is delivered via  CronRAT , another piece of malware the Dutch cybersecurity firm disclosed last week as hiding its malicious payloads in cron jobs scheduled to execute on February 31st, a non-existent ca

Researchers have unearthed a new remote access trojan (RAT) for Linux that employs a never-before-seen stealth technique that involves masking its malicious actions by scheduling them for execution on February 31st, a non-existent calendar day. Dubbed CronRAT, the sneaky malware "enables  server-side Magecart data theft  which bypasses browser-based security solutions," Sansec Threat Research said. The Dutch cybersecurity firm said it found samples of the RAT on several online stores, including an unnamed country's largest outlet. CronRAT's standout feature is its ability to leverage the  cron  job-scheduler utility for Unix to hide malicious payloads using task names programmed to execute on February 31st. Not only does this allow the malware to evade detection from security software, but it also enables it to launch an array of attack commands that could put Linux eCommerce servers at risk. "The CronRAT adds a number of tasks to crontab with a curious date

Cybercrime actors part of the Magecart group have latched on to a new technique of obfuscating the malware code within  comment blocks  and encoding stolen credit card data into images and other files hosted on the server, once again demonstrating how the attackers are  continuously improving  their infection chains to escape detection. "One tactic that some Magecart actors employ is the dumping of swiped credit card details into image files on the server [to] avoid raising suspicion," Sucuri Security Analyst, Ben Martin,  said  in a write-up. "These can later be downloaded using a simple  GET request  at a later date." Magecart is the umbrella term given to multiple groups of cybercriminals targeting e-commerce websites with the goal of plundering credit card numbers by injecting malicious JavaScript skimmers and selling them on the black market. Sucuri attributed the attack to  Magecart Group 7  based on overlaps in the tactics, techniques, and procedures (TT

Cybercrime groups are distributing malicious PHP web shells disguised as a favicon to maintain remote access to the compromised servers and inject JavaScript skimmers into online shopping platforms with an aim to steal financial information from their users. "These web shells known as Smilodon or Megalodon are used to dynamically load JavaScript skimming code via server-side requests into online stores," Malwarebytes Jérôme Segura  said  in a Thursday write-up. "This technique is interesting as most client-side security tools will not be able to detect or block the skimmer." Injecting web skimmers on e-commerce websites to steal credit card details is a tried-and-tested modus operandi of Magecart, a consortium of different hacker groups who target online shopping cart systems. Also known as formjacking attacks, the skimmers take the form of JavaScript code that the operators stealthily insert into an e-commerce website, often on payment pages, with an intent to c

A wave of cyberattacks against retailers running the Magento 1.x e-commerce platform earlier this September has been attributed to one single group, according to the latest research. "This group has carried out a large number of diverse Magecart attacks that often compromise large numbers of websites at once through supply chain attacks, such as the Adverline incident , or through the use of exploits such as in the September Magento 1 compromises," RiskIQ said in an analysis published today. Collectively called Cardbleed , the attacks targeted at least 2,806 online storefronts running Magento 1.x, which reached end-of-life as of June 30, 2020. Injecting e-skimmers on shopping websites to steal credit card details is a tried-and-tested modus operandi of Magecart, a consortium of different hacker groups who target online shopping cart systems. These virtual credit card skimmers, also known as formjacking attacks , are typically JavaScript code that the operators stealth

Cybercriminal groups are constantly evolving to find new ways to pilfer financial information, and the latest trick in their arsenal is to leverage the messaging app Telegram to their benefit. In what's a new tactic adopted by Magecart groups, the encrypted messaging service is being used to send stolen payment details from compromised websites back to the attackers. "For threat actors, this data exfiltration mechanism is efficient and doesn't require them to keep up infrastructure that could be taken down or blocked by defenders," Jérôme Segura of Malwarebytes said in a Monday analysis . "They can even receive a notification in real time for each new victim, helping them quickly monetize the stolen cards in underground markets." The TTP was first publicly documented by security researcher @AffableKraut in a Twitter thread last week using data from Dutch cybersecurity firm Sansec. Injecting e-skimmers on shopping websites by exploiting a known

In what's one of the most innovative hacking campaigns, cybercrime gangs are now hiding malicious code implants in the metadata of image files to covertly steal payment card information entered by visitors on the hacked websites. "We found skimming code hidden within the metadata of an image file (a form of steganography) and surreptitiously loaded by compromised online stores," Malwarebytes researchers said last week. "This scheme would not be complete without yet another interesting variation to exfiltrate stolen credit card data. Once again, criminals used the disguise of an image file to collect their loot." The evolving tactic of the operation, widely known as web skimming or a Magecart attack, comes as bad actors are finding different ways to inject JavaScript scripts, including misconfigured AWS S3 data storage buckets and exploiting content security policy to transmit data to a Google Analytics account under their control. Using Steganography

Hacking groups are continuing to leverage misconfigured AWS S3 data storage buckets to insert malicious code into websites in an attempt to swipe credit card information and carry out malvertising campaigns. In a new report shared with The Hacker News, cybersecurity firm RiskIQ said it identified three compromised websites belonging to Endeavor Business Media last month that are still hosting JavaScript skimming code — a classic tactic embraced by Magecart , a consortium of different hacker groups who target online shopping cart systems. The unpatched affected websites host emergency services-related content and chat forums catering to firefighters, police officers, and security professionals, per RiskIQ. www[.]officer[.]com www[.]firehouse[.]com www[.]securityinfowatch[.]com The cyber firm said it hasn't heard back from Endeavor Business Media despite reaching out to the company to address the issues. As a consequence, it's working with Swiss non-profit cyber