A new faction of the infamous Magecart cybercrime group was able to compromise a French online advertising provider and install a script that was then propagated to ecommerce sites that loaded code from the ad provider, an attack that could be a sign of things to come with other attack groups.
The compromise of Adverline took place at the end of December and was the work of a team that researchers from RiskIQ are calling Magecart Group 12, a group that hasn’t been documented before. Magecart is an amorphous and loosely connected network of groups that use a variety of techniques to inject a web skimmer into ecommerce and other sites in order to steal payment card information. Magecart has been in operation for at least four years and has been tied to a number of major breaches, including one at Ticketmaster UK. There are several individual groups that fall under the Magecart umbrella, and they generally have different modes of operation and targets.
Group 12 is a newly identified subset of Magecart that has been conducting operations since about September, using typical injection and skimming techniques. But in December, the group hit a target that provided it with the opportunity for much broader reach for its data theft: Adverline. The company provides advertising services for various sites, and the Magercart attackers were able to compromise a JavaScript library that Adverline provides to third-party sites.
“Unlike other online skimmer groups that directly compromise their target’s shopping cart platforms, Magecart Groups 5 and 12 attack third-party services used by e-commerce websites by injecting skimming code to JavaScript libraries they provide. This enables all websites embedded with the script to load the skimming code. Targeting third-party services also helps expand their reach, allowing them to steal more data,” Chaoying Liu and Joseph C. Chen of Trend Micro wrote in an analysis of the compromise.
“At the time of our research, the websites embedded with Adverline’s retargeting script loaded Magecart Group 12’s skimming code, which, in turn, skims payment information entered on webpages then sends it to its remote server.”
This is a much more efficient tactic for Magecart than going after each shopping cart site individually. By targeting a third party that provides resources to a wide customer base, the attackers greatly increase their potential financial rewards. Other Magecart groups have employed a similar technique in the past, targeting third-party library providers who supply plug-ins for ecommerce sites. Group 12 has put together a comprehensive attack infrastructure that allows it to deliver its malicious code directly.
“The skimmer code for Group 12 has an interesting twist; it protects itself from deobfuscation and analysis."
“Group 12 built out its infrastructure in September 2018; domains were registered, SSL certificates were set up through LetsEncrypt, and the skimming backend was installed. Group 12 doesn’t just inject the skimmer code by adding a script tag—the actors use a small snippet with a base64 encoded URL for the resource which is decoded at runtime and injected into the page,” Yonathan Klijnsma, head of threat research at RiskIQ, who has been following Magecart for several years, wrote in a post on the new compromise.
“The skimmer code for Group 12 has an interesting twist; it protects itself from deobfuscation and analysis by performing an integrity check on itself. The actual injection script comes in two stages, which both perform a self-integrity check.”
The skimmer that Group 12 used in the compromise of Adverline performed a variety of checks after installation, looking to see if it was on a checkout page, if certain words are present in the URL, and whether the code is on a mobile device. All of this is designed to ensure that the skimmer is in the correct place and has a chance to do its job. If the script detects that it’s on a good site, it will execute the skimmer.
“Once any value instead of empty is entered on the webpage’s typing form, the script will copy both the form name and values keyed in by the user. Stolen payment and billing data is stored in a JavaScript LocalStorage with the key name Cache. The copied data is Base64-encoded. It also generates a random number to specify individual victims, which it reserves into LocalStorage with key name E-tag. A JavaScript event ‘unload’ is triggered whenever the user closes or refreshes the payment webpage,” the Trend Micro researchers said.
The Trend Micro team, who discovered the Adverline compromise, informed the company of the attack and Adverline was able to address the issue. The command-and-control domains involved in the attack are no longer functioning.