News Insights: MageCart Skims Credit Cards from FocusCamera.com

News Insights:

PerimeterX’s Senior Security Researcher Gadi Naveh provided the following comments: “As most conventional businesses are moving to conduct their payments online, the attack landscape is shifting to compromise online payments. Stores using physical payment methods have learned their lesson and invested in preventive methods to block Point of Sale credit card theft. Online stores, which are the new Point of Sale should also add preventive measures to protect their users from data breaches resulting from online skimmers and Magecart attacks. As the case of Blue Bear shows, even a third party payment vendor intended to improve security can be compromised. Any script introduced to a website can be exploited to exfiltrate user data.”

According to Mounir Hahad, head of the Juniper Threat Labs at Juniper Research:

“This attack has all the hallmarks of a Magecart attack, going after the client side skimming of payment card data. This is not any particular hacker group, but rather a consortium of threat actors using similar methods to compromise third party libraries in a supply chain attack, or simply hacking into the target website to implant malicious code. Amongst the well known victims are British Airways, TicketMaster, NewEgg and more.

As soon as we realized focuscamera.com was breached, Juniper Threat Labs immediately reached out to the site owners via an online contact form as well as left voice-mails. Unfortunately, week-ends and a time zone difference caused a couple days of delay in response, but we managed to have a live conversation with the domain admins. We shared all the information we had at the time and held a follow up call later in the day to share additional discoveries, based on our analysis of the site. By the end of the day, the malicious code was removed from the site.

MageCart continues to pose significant risk to online shopping and is expected to be one of the top cyber security stories of 2020. It is possible for site owners to guard against this attack by ensuring the integrity of their site’s source code. Indeed, attackers do need to tamper with the site’s source code to inject the malicious skimmer javascript, either by exploiting a server’s vulnerability or by compromising a third party library. In this particular example, it is clear that some javascript file from focuscamera.com was modified from its original deployed version to include the additional injected eval statement. Which simple file hash monitoring, this should trigger an alarm.”