Cybercrime actors part of the Magecart group have latched on to a new technique of obfuscating the malware code within comment blocks and encoding stolen credit card data into images and other files hosted on the server, once again demonstrating how the attackers are continuously improving their infection chains to escape detection.

The Magento platform has been increasingly affected by attacks from Magecart since September 2017, despite new protections implemented by the e-commerce platform provider.

The checkout page is the most likely target of an attack, as that is where sensitive information like cardholder details are stored prior to their submission to the payment processor. However, malicious JavaScript code can also be placed on other pages for potential future attacks – or even within botnet traffic to expand infections.

Since the initial detection of the Magecart attacks, Unisys has continuously improved its defenses against malicious code with new updates. This latest release of e-commerce platform software, version 6.1.2-PLUS-MAGENTO, includes a new module to detect and prevent potential keyloggers and other malware from obtaining sensitive data like a user’s credentials or card numbers via the checkout page.

The protection module scans files on customers’ computers for potentially malicious code that could be used to obtain sensitive data from the checkout page. These files can be viewed locally by file extensions such as .txt, .csv or .xml, which can then be uploaded to an Internet server where they become visible by name and location.

“This is a particularly dangerous type of attack as the malware code is not visible to the user by name but only by file extension,” said Unisys. “This means that an attacker could place this code on other pages on the Internet and hide it from the user’s view so that it will not affect use of the checkout.”

The module will scan files for evidence of malicious code, and will then remove any files containing malicious code when uploaded to external servers. Although this feature is intended to protect against attacks during checkout, it should also be employed alongside additional defenses like following recommendations from security software vendors about what should or must not be uploaded to web servers.

The Magento platform is the third most targeted platform behind WordPress and Joomla, according to a new report from RiskIQ. The report observed Magecart attack attempts against online stores throughout 2017 and found the malware related to the group was responsible for more than one in every six cyberattacks on e-commerce companies.

The Magecart attackers are known to have exploited vulnerabilities in the Magento CMS software, third-party plugins and even developers’ own code. Although the malware has historically been used to create credit card counterfeit orders, it can also be used to commit personalized phishing campaigns by stealing shoppers’ credentials or other personal data before sending them malicious links via email or text messages.

Like many current Magecart attacks, the malicious code included in this latest attack was distributed within image files. The attackers used the name of the file to hide their code from detection but did not provide any additional technical details about how their code works.

The Magecart Group is a global cybercrime group that has been described as the most advanced in the world since they are the first to implement a raiLZ backdoor and have the ability to perform accurate clickjacking, they are able to steal sensitive data like Creditcard or Password from every page of a site.

Interested in reading about other cybercrime groups today? Cyber-Attack Groups In Ransomware Web discusses how the cybercrime groups today are all connected and working together.

Liquid Video Technologies Logo, zero trust, Security, Video Surveillance, Greenville South Carolina, cybersecurity, Magecart

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access ControlFire, IT consultant, or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.