Tag Archive for: Magecart

How Credit Unions Can Stop Advanced Magecart Attacks. Period.


The ups and downs of the last year and a half have wreaked havoc on societal norms. It’s changed how we work out, socialize with our friends and family, celebrate life’s events, and conduct business. The tension between safety vs. normalcy is one we all navigate every day. 

As a result, people are conducting business over the internet using mobile apps and web browsers more frequently than before. Companies are embracing mobile and home access to traditional in person transactions such as banking and finance. These financial institutions are using security features like faceID, touchID, and multi-factor authentication (MFA) to make account logins more secure. They are also using software and technology to secure the data inside their systems on the back end.

But what  are companies doing to protect the information that passes between login and storage? Securely logging into my account and entering my personal information onto an online loan application, account creation, or investment form does not automatically mean the information is safe. Online skimming attacks, such as  Magecart, are a concern these financial institutions cannot ignore. An article by Stickley on Security summarizes how advanced attacks can infiltrate and hide in benign media objects like images or videos on a website.

In April of this year, the Credit Union National Association published an article from Cyber Defense Labs offering three steps to take to prepare for the next cyberattack. Let that sink in for a moment. There will be a “next” cyberattack. There are no ifs, ands, or buts about it.  

Security professionals cannot have an “if” mentality, they need a “when” mindset. The article asks of credit unions: 

“Is your team knowledgeable and informed about today’s threat environment, where vulnerabilities are being exploited across the financial services sector, and what to watch out for?”

When it comes to today’s threat environment, many security professionals forget that the same mobile app or web browser customers are using to login can be the target of advanced Magecart attacks. Most of the issue with preventing or even detecting these attacks comes from supply-chain…

Source…

New Grelos skimmer variant reveals overlap in Magecart group activities, malware infrastructure


A new variant of a skimmer has revealed the increasingly muddy waters associated with tracking groups involved in Magecart-style attacks. 

On Wednesday, researchers from RiskIQ described how a new Grelos skimmer has shown there is “increased overlaps” in Magecart infrastructure and groups, with this malware — alongside other forms of skimmer — now being hosted on domain infrastructure used by multiple groups, or connected via WHOIS records, known phishing campaigns, and the deployment of other malware, creating crossovers that can be difficult to separate. 

See also: Magecart group uses homoglyph attacks to fool you into visiting malicious websites

Magecart is an umbrella term used to describe information stealing campaigns and threat actors that specialize in the theft of payment card data from e-commerce websites. 

Several years ago, well-known brands including British Airways and Ticketmaster became the first major victims of this form of attack, and since then, countless websites have fallen prey to the same technique. 

The new variant of the Grelos skimmer, malware that has been around since at least 2015 and associated with Magecart groups 1 and 2, is similar to a separate strain described by researcher @AffableKraut in July. This variant is a WebSocket-based skimmer that uses base64 obfuscation to hide its activities. 

“We believe this skimmer is not directly related to Group 1-2’s activity from 2015-16, but instead a rehash of some of their code,” RiskIQ says. “This version of the skimmer features a loader stage and a skimmer stage, both of which are base64 encoded five times over.”

CNET: Trump fires top cybersecurity official for debunking election fraud claims

Following a Magecart attack on Boom! Mobile, RiskIQ examined links established by Malwarebytes and this attack, in which the Fullz House group loaded malicious JavaScript on the mobile network provider to scrape customer data.

The domains used in this cyberattack led the team to a cookie and associated skimmer websites, including facebookapimanager[.]com and googleapimanager[.]com.

However, instead of finding the Fullz House…

Source…

Magento Stores Running Outdated Software Version Hit by the Largest Magecart Attack Since 2015 – CPO Magazine

Magento Stores Running Outdated Software Version Hit by the Largest Magecart Attack Since 2015  CPO Magazine
“exploit kit” – read more