Analysis of a recent Magecart campaign


 On 13 March, SanSec disclosed a new Magecart domain used to host malicious JavaScript (.js) files that can collect credit card information from ecommerce site checkout pages. The site (jquerycdn[.]at) that hosted the scripts was present on at least 299 different victim stores. The most commonly attacked platform is Magento 1 ecommerce platform. Notably, support for Magento 1 ended on 30 June 2020, meaning that it will no longer receive security updates.

How does the web skimmer work?

“Web skimmers are loaded on the checkout page of a typical store. It lives in the browser of an unsuspecting online customer. Whenever he or she enters her payment information, the private data is siphoned off to an offshore server. Usually, this data is then sold on the dark web within 2-10 weeks.” - SanSec. 


In this blog, I analysed the JavaScript Skimmers connected to jquerycdn[.]at in an ongoing campaign


knockout-fast-foreach.js

46fa357596e58272e6e2865c8b80bb96eb910c577267ce64bcada714c8eefdff



jquery.storageapi.min.js

20ef8044ce87142087cc996cf38c9476df5a95211a9aa03982bd2f17b789de62



Search for the presence of the jquery.storageapi.min.js Skimmer on sites via URLscan here.


jquery.bah-hashchange.min.js

082aa05bdc4869e4c7d40046c0a3ce7861fbfa89356ff714f1514a8e6775e460



Search for the presence of the jquery.bah-hashchange.min.js Skimmer on sites via URLscan here.



These JavaScript Skimmers use the function 'GetCCInfo' to collect the online shopper's credit card number, CVV number, card holder first and last name, smd the expiration date. The 'SaveParam' function collects the firstname, lastname, home address, and telephone number. All the data is then encoded with base64 and exfiltrated to jquerycdn[.]at/gate.php.

Although this campaign was detected back in March 2020, the site remains online and is hosted with AS47510 [Crex Fex Pex ISS, RU]. Additionally it appears the JS Skimmer continues to be injected onto ecommerce site’s checkout pages:





Indicators of Compromise (IOCs):

jquerycdn[.]at

jquerye[.]at

217.8.117.75

46fa357596e58272e6e2865c8b80bb96eb910c577267ce64bcada714c8eefdff

20ef8044ce87142087cc996cf38c9476df5a95211a9aa03982bd2f17b789de62

082aa05bdc4869e4c7d40046c0a3ce7861fbfa89356ff714f1514a8e6775e460

15dde9cb53a519b8c61edf29d758bc8c8ce52a778d2a3123e9fd3c93fef9c531


References: 

https://sansec.io/malware/jquerycdn.at 

https://twitter.com/felixaime/status/1258800483524804608

https://magento.com/blog/magento-news/support-magento-1-software-ends-june-30-2020


My Previous Blog titled “Deep-dive: The Magecart Collective” can be found here.


I want to extend my gratitude to @0xDISREL for helping me with research into these attacks. They provided useful insights into analysis of the JavaScript code. Give them a follow!


Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

Lessons from the iSOON Leaks