Security News

The e-commerce card-skimming landscape has a new wrinkle: Cybercriminals affiliated with the Magecart collective are using encrypted messaging service Telegram as a channel for sending stolen credit-card information back to its command-and-control servers. "Telegram is a popular and legitimate instant messaging service that provides end-to-end encryption, [and] a number of cybercriminals abuse it for their daily communications but also for automated tasks found in malware." He added, "The novelty [here] is the presence of the Telegram code to exfiltrate the stolen data."

"The biggest takeaway is that there exists a market, demanded by cybercriminals, for threat actors to advertise customized sniffer variants to conduct attacks against e-commerce websites through malicious JavaScript injection," researchers with Recorded Future told Threatpost, on Thursday. One such Russian-speaking threat actor currently making waves is called "Billar," which created and is the sole designer of a payment card sniffer called "Mr.SNIFFA." This sniffer was first debuted on Exploit Forum on Dec. 3, 2019, and is currently being advertised for about $3,000.

The continuing wave of attacks by cybercriminal groups known under the umbrella term Magecart perfectly illustrates just how unprepared many e-commerce operations are from a security point of view. Based on the information we have gleaned from previous Magecart attacks, it is obvious that there is no sure-fire way of preventing these types of attacks completely.

Over the past three years, one of the groups operating under the Magecart umbrella has targeted over 570 e-commerce websites and likely made more than $7 million, threat intelligence company Gemini Advisory reports. Referred to as Keeper, the group operates 64 attacker and 73 exfiltration domains and has hit targets in 55 countries since April 1, 2017.

The team at security biz Gemini Advisory said a long-running criminal gang dubbed Keeper compromised hundreds of online shopping sites over the past three years to install the software nasty. We're told 85 per cent were infected after the hackers exploited known flaws in the open-source Magento content management system popular among e-commerce businesses and used by the sites.

The Lazarus Group, state-sponsored hackers affiliated with North Korea, has added digital payment-card skimming to their repertoire, researchers said, using Magecart code. The analysis found that Lazarus was likely planting Magecart payment skimmers on major online retailer sites as early as May 2019.

Hackers linked to the North Korean government appear to be behind the Magecart attacks on fashion retailer Claire's and other online stores, Netherlands-based e-commerce security company Sansec reported on Monday. Threat actors linked to North Korea have been known to launch - in addition to espionage and destructive campaigns - financially-motivated attacks, including against cryptocurrency exchanges and banks.

Magecart web skimmers were found on the websites of eight cities in the United States and one thing they have in common is that they all use the Click2Gov platform, Trend Micro reports. Designed for community engagement, reporting of issues, and online payments, the Click2Gov web-based platform is used by local governments across the United States and has been the victim of financially-motivated threat actors in both 2018 and 2019.

Researchers are warning that the websites of eight U.S. cities - across three states - have been compromised with payment card-stealing Magecart skimmers. When asked which city websites were affected in this incident, researchers told Threatpost, "We can't say," adding that Trend Micro "Prioritizes responsible disclosure of security incidents and chooses not to 'name and shame' victims. Our primary goal is to help organizations identify and mitigate these incidents. We have notified the breached parties who will be responsible for handling the situation within each city."

The website of international retail chain Claire's was compromised by Macegart hackers for weeks amid an increase in overall online shopping due to the coronavirus pandemic, Sansec reports. The hackers injected malicious code not only into the fashion retailer's website, but also the online store of its sister brand Icing.