Server-side requests to malicious domain conceal malware from endpoint security tools
UPDATED Novel credit card skimming malware that easily evades client-side detection has been deployed against e-commerce sites running unsupported versions of Magento, security researchers have found.
The campaign has been attributed to Magecart Group 12, since it uses infrastructure previously linked to the group and the new malware is disguised as a favicon – an image file containing a brand logo displayed on browser tabs.
End of the line
Jérôme Segura, lead malware threat intelligence analyst at Malwarebytes, told The Daily Swig that his team detected the malware on “a few dozen sites” running Magento 1, “which was enough to see a pattern”.
The latest and final Magento 1 version is still estimated to power nearly 53,000 e-commerce sites, almost 11 months after Adobe discontinued support for the release line.
Magecart 12 threat actors were also blamed for a wave of attacks in September 2020 that leveraged another innovative skimmer, dubbed ‘Ant and Cockroach’ by RiskIQ, and impacted approaching 3,000 domains running Magento 1.
The prolific group has also been credited with the use of a decoy Cloudflare library and the covert installation of cryptocurrency miners on vulnerable websites.
“One aspect that we still aren’t quite sure about is whether they are directly implicated in the compromise of websites,” said Segura. “It’s quite possible that they buy access to sites where shells have been uploaded already.”
Sneaking through server-side
Requests to the malicious domain are done server-side, circumventing detection or blocking by client-side security tools.
The “domain/IP database approach” commonly deployed to thwart conventional client-side skimming attacks would not work against the new malware “unless all compromised stores were blacklisted, which is a catch-22 situation”, reads the blog post.
An alternative approach, inspecting the DOM in real time and detecting when malicious code has been loaded, is “more effective, but also more complex and prone to false positives”, added Segura.
Faulty PHP script
Magento.png “attempts to pass itself as ‘image/png’ but does not have the proper PNG format for a valid image file”, he continued.
Vulnerable sites are compromised “by replacing the legitimate shortcut icon tags with a path to the fake PNG file.”
However, Segura noted that “in its current implementation this PHP script won’t be loaded properly”.
“Nevertheless, this campaign gave us some good insights into what the malware can do and what potentially lies ahead. As defenders are blocking web skimming infrastructure at a rapid pace, it makes sense to perform skimming and data exfiltration out of the client-side scope where security products work.”
Segura also urged online merchants to keep their stores “up-to-date and hardened, not only to pass PCI standards but also to maintain the trust shoppers place in them”.
According to a scan of Magento websites performed by cybersecurity firm Foregenix in July 2020, a few days after vendor support was discontinued, 79.6% of malware-infected domains were running Magento 1.
This article was updated with comments from Jérôme Segura of Malwarebytes on May 17