MageCart Skims Credit Cards from FocusCamera.com
Late in December 2019, someone I know received a notification from their credit card company stating a transaction for a purchase of substantial value was pending. Not recognizing the transaction, the person immediately contacted the credit card company to put a stop to the transaction which had n…
PerimeterX’s Senior Security Researcher Gadi Naveh provided the following comments: “As most conventional businesses are moving to conduct their payments online, the attack landscape is shifting to compromise online payments. Stores using physical payment methods have learned their lesson and invested in preventive methods to block Point of Sale credit card theft. Online stores, which are the new Point of Sale should also add preventive measures to protect their users from data breaches resulting from online skimmers and Magecart attacks. As the case of Blue Bear shows, even a third party payment vendor intended to improve security can be compromised. Any script introduced to a website can be exploited to exfiltrate user data.”
According to Mounir Hahad, head of the Juniper Threat Labs at Juniper Research:
“This attack has all the hallmarks of a Magecart attack, going after the client side skimming of payment card data. This is not any particular hacker group, but rather a consortium of threat actors using similar methods to compromise third party libraries in a supply chain attack, or simply hacking into the target website to implant malicious code. Amongst the well known victims are British Airways, TicketMaster, NewEgg and more.
As soon as we realized focuscamera.com was breached, Juniper Threat Labs immediately reached out to the site owners via an online contact form as well as left voice-mails. Unfortunately, week-ends and a time zone difference caused a couple days of delay in response, but we managed to have a live conversation with the domain admins. We shared all the information we had at the time and held a follow up call later in the day to share additional discoveries, based on our analysis of the site. By the end of the day, the malicious code was removed from the site.