MageCart attack? what nonsense is that ..
MageCart attacks are a recent series of attacks on E-Commerce websites which target and steal credit card information that affected thousands of websites including the British Airways. With the COVID-19 outbreak people tend to use E-commerce sites for their day to day needs more than ever before, Which makes e-skimming attacks like MageCart more popular among bad guys.
Sounds scary, so how can I protect myself?
Bad news, You can’t. These attacks are really hard to detect since the malicious code is hidden inside the legitimate code waiting for you to enter your credit card info and buy that carton of milk :)
Since we got that out of the way, Get your hunting gear ready lads its time for a hunt.
This is one of the leading supermarkets in Sri Lanka and the initial compromise date is unknown, and by the time this article was written the malicious code was still embedded in the website. Which means the attackers are still actively skimming the cards.
If you know what you are doing these attacks are easy to spot.. Lets start with a good old urlscan[.]io scan to identify the IPs which are associated with this site for anomalies.
Did you find the odd IP? Its the IP that does not belong to any verified domain “193.38.34[.]176”. Now that we caught the scent lets follow the vodka smell(Get it? because the IP is russian). Next step is to see what this IP is doing inside this site.
In here we can see two new artifacts; a domain name and a JS file being loaded from the IP, Now that we have the initial artifacts, we need to get these in one place so it makes some sense. For this my go to tool is VirusTotal Graphs it requires you to create a free account but its well worth it. Using the VT graph is out of this post’s scope so that is an adventure for some other time, For now here is my already built graph.
Our first artifact, The domain name has 7 detections on VT and the domain is created 1 month ago which is another red flag since these malicious domains pop in and out with a short lifespan.
Second artifact; the JS file has 15 detections on VT as a JS trojan lets dissect it later.
Next step of investigation is to identify how they load this malicious file into the legitimate site, A careful look at the source-code reveals where the attackers embed their source code. Look at the screenshot below.
Even the trail so far has confirmed this to be a nasty piece of malware.
For further confirmation lets take a look at the code of this sneaky little piece of code. It was initially obfuscated but running through a quick de-obfuscator reveals us the code below.
Script collecting sensitive data
A base 64 encoded string
Data ex-filtration via JSON objects
Above encoded string gives us the decoded URL of “https://jquerycss.[]online/css/font-awesome.min.css” which is most probably used to ex-filtrate data. Since the JS file is still being studied its hard to predict the exact functionalities of the file.
Next big question is how did these attackers come in and edit the source code? Well at the moment looking at the website from the outside; The most probable way is through a Magento exploit since this site is built using Magento. But hey thats just a theory!
The JS code analysis is coming soon
Get the IOC for the attack from here