FortiGuard Labs Threat Research
Threat Analysis Report from FortiGuard Labs
FortiGuard Labs has been monitoring the development of the e-commerce threat landscape. This includes the stealthworker malware that brute-forces its way to compromise e-commerce websites and Magecart, which steals payment card details from compromised websites.
Magecart is the name given to numerous cyber criminal groups that embed digital skimmers on compromised e-commerce sites. The group made global headlines for a series of high-profile breaches on Ticketmaster, British Airways, and Newegg. These groups are still active and continue to target online stores to steal payment card details from unaware customers.
<C&C >/src/<compromised website>.js
To check that the current page is the payment page, it searches for the keywords onepage, checkout, onestep, and firecheckout in the URL address. Once it is on the correct page, it intercepts the following details after an unaware customer fills in the fields:
The intercepted information is then obfuscated by encoding it with base64 and replacing some characters from the result:
Without knowing the replaced characters, it would be difficult to decode back the original information.
Inspecting the C&C with the IP address 178.33.231[.]184 revealed other domains it is hosting. As expected, these domain names attempt to imitate legitimate e-commerce websites related to different services and products (e.g. food, fitness, espresso, etc.). This makes it more difficult to spot something suspicious during static analysis.
Further investigation on the infrastructure of the C&C led us to discover what seems to be the debug log of the C&C server. Each line contains a date & time, payment card number, and the string “SAVED”, which could imply that the stolen payment information that the C&C received from the compromised websites has been forwarded and saved in a separate database of the attacker.
Based on our observation, it seems like the timestamp is set to GMT+2.
To be able to get more information on the payment card numbers, we used a python library called card-validator to check whether the payment card number is valid. Moreover, we can reference the Issuer Identification Number (IIN) to the list of available IIN to determine the issuer, type of payment card, related institution, and its country of origin.
At the early stages of this campaign, the cyber criminals were able to get as many as 40,000+ payment card details in a single month. After that, it began to slow down. The reason may be because more and more people have become aware of the scheme and/or that more security companies have been detecting this campaign. After all, this was the time when news of breaches on major global brands spread. Another possibility is that owners of the compromised e-commerce websites might have started to discover and clean up any malicious scripts in their systems, resulting in fewer card details being stolen by Magecart.
Based on an analysis of the compromised payment cards using the debug log, we found that most major issuers were impacted. Then, using the associated Issuer Identification Number, we were able to successfully identify the issuing country of 54% of the total valid credit card numbers. Here is a breakdown of the top countries impacted:
The information that we gathered from this campaign shows how effective Magecart groups are in compromising e-commerce websites and stealing payment card details. With the amount of data that was stolen by this campaign, we can only imagine the staggering number of possible fraud cases that can come out of this breach and their impact on the card issuer, e-commerce companies, and consumers.
While we can see that it’s slowly declining, the campaign is still operational. We can simply assume that cyber criminals will continue to invent new ways to compromise e-commerce websites, and the best way to combat this is for e-commerce companies to follow good security practices and constantly monitor their systems for any suspicious activities.
Fortinet customers are protected by the following solutions:
Learn more about FortiGuard Labs and the FortiGuard Security Services portfolio. Sign up for our weekly FortiGuard Threat Brief.
Read about the FortiGuard Security Rating Service, which provides security audits and best practices.