Magecart is a consortium of malicious hacker groups who target online shopping cart systems, usually the Magento system, to steal customer payment card information. This is known as a supply chain attack.
The idea behind these attacks is to compromise a third-party piece of software from a VAR or systems integrator or infect an industrial process unbeknownst to IT.
How the malware works:-
One clever way for attackers to host their malware (and not sadly limited to just Magecart attacks) is to upload their code to an unused GitHub project. The criminals try to take ownership of the project and then publish a “new” version of the code that contains the malware.
This has a direct benefit of quickly getting malware in active use across thousands of websites. Security tools might not scan code from GitHub, so criminals can hide in plain sight and get away with the compromised project.
Telegram is used to send the data:-
According to researchers, Telegram is used as a channel for sending stolen credit-card information back to its command-and-control (C2) server. In this case, according to Jérôme Segura at Malware-bytes, the attackers are using the lawful platform where the traffic are difficult to detect since the ex-filtrated are blended in normal traffic. Recent campaigns have exposed data like name, address, credit-card number, expiry date and CVV being relayed via an instant message sent to a private Telegram channel.
The skimmer has a hardcoded list of input-field names to view for on webpages. It uses a “prayer()” function to perform the data ex-filtration. It initially snatch the data by calling getData and then verifies it has address details, trying to find them in another place if it hasn’t ye retrieved them.
It is then encrypted with the public key, where then runs some Base64-encoded code. Using a bot to post it in Telegram, where all you need is a bot token and a chat to post it.
The ex-filtration is triggered only if the user’s browser contains keywords indicating of shopping site and when the validates their cart.
At this point, the browser will send the payment details to both the legitimate payment processor and the criminals. The fraudulent data exchange is done via the use of Telegram’s API and posts the payment details into a chat channel.
Steps for defense:-
- These kind of approaches can be mitigated via Content Security Policy (CSP)
- And the only way to detect this is to compare the entire e-commerce code stack line-by-line and see what has changed.
- Magecart operate by stealth by making small changes to source code. It is therefore essential you are vigilant and aware of what code is running on your website
- Blocking third-party vendors, and blocking unknown and unwanted website trackers, technologies and tags to prevent them from firing on site and collecting data.