Every day, new e-commerce websites fall into the hands of one of the many Magecart skimmers. Unbeknownst to shoppers, criminals are harvesting their personal information, including payment details in the online equivalent of ATM card skimming.
However, as we sometimes see in other types of compromises, threat actors can also abuse the resources of legitimate providers, such as code repository GitHub, acquired by Microsoft last year.
In the above and below screenshots, you can see that the threat actor was fine tuning the skimmer, after having done a few tests:
Just like with any other kind of third-party plugins, compromised Magento sites are loading this script within their source code, right after the CDATA script and/or right before the </html> tag:
According to a search on urlscan.io, there are currently over 200 sites that have been injected with this skimmer:
A look at the deobfuscated script reveals the exfiltration domain (jquerylol[.]ru) where the stolen data will be sent to:
It's worth noting that the compromised Magento sites will remain at risk, even if the GitHub-hosted skimmer is taken down. Indeed, attackers can easily re-infect them in the same manner they initially injected the first one.
It is critical for e-commerce site owners to keep their CMS and its plugins up-to-date, as well as using secure authentication methods. Over the past year, we have identified thousands of sites that are hacked and posing a risk for online shoppers.
We reported the fraudulent GitHub account which was quickly taken down. We are also protecting our users by blocking the exfiltration domain.