Researchers discover new Magecart group

RiskIQ security researchers who tracked and exposed attacks by digital credit card skimming gang Magecart against businesses such as Ticketmaster, British Airways and Newegg, warn that web-based, third-party supply chain attacks are increasing.

Magecart, or at least a sub-group dubbed Magecart Group 12 by researchers, appears to be expanding and refining the attacks that compromise third-party suppliers of code meant to improve site functionality, putting a wider range of potential victims at risk because this code typically integrates with thousands of websites with millions of users.

In the past few months, the RiskIQ researchers have been tracking a new attack campaign that used a third-party supply chain attack similar to that use by Magecart Group 5 responsible for the attack on Ticketmaster.

However, the researchers believe this attack against French advertising agency Adverline is not the work of Group 5, but a never-before-documented group that previously performed only direct compromises.

“In this case, the group compromised a content delivery network for advertisements to include a stager containing the skimmer code so that any website loading script from the ad agency’s ad tag would inadvertently load the Magecart skimmer for visitors,” the researchers wrote in a blog post.

This content delivery injection expanded the group’s reach, said the researchers, who have confirmed hundreds of victim websites with the potential for thousands more given the number of sites running the ad tag.

At the end of December 2018, the RiskIQ researchers observed an injection on an Adverline ad tag script, which was similar to the script seen in Group 12’s first compromises, just obfuscated slightly using javascriptobfuscator.com.

The researchers also discovered that the skimmer code for Group 12 protects itself from deobfuscation and analysis by performing an integrity check on itself.

Although the integrity check is performed twice, researchers said the evaluated code is different each time. The first time it runs, it decodes what the researchers called the “fingerprinter” stage. This performs checks to ensure the session belongs to a legitimate consumer and not automated scanners or analysts performing a live analysis.

After the fingerprinting check, a new script is included in the page which contains the second self-integrity check. If the checks fail to go through, the code removes all the artefacts from the page to clean up its traces, otherwise it runs the skimmer code.

This code carries out the same process of skimming payment information as seen in other Magecart groups, the researchers said. However, they note that there are some unique characteristics, such as internationalised payment page keyword checking.

Most skimmer scripts perform a page URL check with a set of keywords before activating the actual skimming part of its code. In most cases these keywords are English and very generic, the researchers said, but Group 12 has added some localisation by adding French and German keywords. The most likely explanation for this, they said, is that Adverline is a French company with a European-focused clientele.

The researchers note that studies from security firm Trend Micro contacted Adverline after also discovering the injection on an Adverline ad tag script, but said that as of 16 January, there had not been a response from Adverline to Trend Micro’s inquiry, which meant that the injections were still live.

“As per our usual actions when we report on an attack publicly, we’ve made attempts to have the domains involved taken down to stop the documented attacks. The process of taking down and/or sinkholing the domains has once again been taken up by AbuseCH and ShadowServer,” the researchers said, adding that they have published a separate document outlining indicators of compromise (IoC).