Magecart

Magecart is a label for multiple groups of threat actors who conduct 'sniffing' attacks that compromise vendors' websites for the sake of collecting their customers' credentials. These attacks occur at the time of purchase and may or may not show symptoms such as requests for more information. Updating software, remaining attentive during online purchasing and having anti-malware services present can help with preventing, detecting, and blocking Magecart skimmer attacks.

A Cartful of Robbery along the Digital Highway

While the cyber-security sector has a historical tendency of looking down on Web-sniffing campaigns, due to the low level of programming sophistication, skimming remains a viable hazard to Web shoppers around the world. The various groups of Black Hat entities responsible for launching these campaigns are being labeled loosely under the Magecart umbrella term. Unlike spyware or banking Trojans, Magecart collects their victims' information without infecting the user's computer.

Magecart campaigns employ families of Trojans, often using JavaScript and exploiting vulnerabilities in platforms like Magento, but not exclusively so. Some typical classes of threats in use include the ImageID JS-sniffer, the GetBilling JS-sniffer, the CoffeMokko JS-sniffer or the FakeCDN JS-sniffer. The threat actors may compromise either a third-party service, such as an advertising company like Adverline, for inserting Trojan skimmers into all of its affiliate vendors or target a specific vendor like the Australia's Puma. The object the insertion of corrupted code that remains hidden until a customer begins a transaction, at which point, it 'wakes up.'

From that point, Magecart attacks can intercept credentials like credit card numbers, encode them and transfer them to a C&C passively. However, they also have options not very different from those of the more sophisticated banking Trojans: modifying the customer's Web-browsing experience by inserting phishing requests for more details under the disguise of the transaction's requiring further authentication. Like most spyware, the only symptoms of Magecart's data-collecting attempts are present when the threat actors create them as a gamble for a bigger payout explicitly.

Keeping Your Cart Clean of Trojans

Magecart operations constitute a large body of separate threat actors' groups, not all of which behave identically to their fellows. As noted previously, some members, such as Magecart Groups 5 and 12, prefer compromising third-party ad suppliers, while others infect vendors' websites directly. While malware experts don't rate Trojan sniffers as being as threatening to most users as rootkits, RATs, or other, high-level threats, they do represent a significant privacy breach, regardless of their means of implementation.

Most Web-browsing security tools can provide various means of protecting your computer from a Magecart Trojan skimmer, including blacklisting Black Hat domains and auto-detecting corrupted scripts. Users can further help themselves by using script blockers for disabling Flash, JavaScript, and Java for sites that aren't safe, by watching for unusual interactions during the checkout process, and by watching their credit cards and bank accounts for unauthorized activity. Similar anti-malware solutions exist at the corporate level for disinfecting websites by removing Magecart Trojans.

Like any general-purpose label, Magecart applies to many Trojans and attacks, but with unification in their purpose. The common cause of every Trojan sniffer is getting online shoppers' information, and no one should take that for granted when they're handing out their credit card number.