GitHub hosted Magecart skimmer used against hundreds of e-commerce sites
Cybercrime | News

GitHub hosted Magecart skimmer used against hundreds of e-commerce sites

Posted: April 26, 2019 by Jérôme Segura

Every day, new e-commerce websites fall into the hands of one of the many Magecart skimmers. Unbeknownst to shoppers, criminals are harvesting their personal information, including payment details in the online equivalent of ATM card skimming.

Most often the skimming code—written in JavaScript and obfuscated—is hosted on infrastructure controlled by attackers. Over time, they have created thousands of domain names mimicking Magento, the CMS platform that is by far most targeted.

However, as we sometimes see in other types of compromises, threat actors can also abuse the resources of legitimate providers, such as code repository GitHub, acquired by Microsoft last year.

This latest skimmer is a hex-encoded piece of JavaScript code that was uploaded to GitHub on April 20 by user momo33333, who, as it happens, had just joined the platform on that day as well.

In the above and below screenshots, you can see that the threat actor was fine tuning the skimmer, after having done a few tests:

Just like with any other kind of third-party plugins, compromised Magento sites are loading this script within their source code, right after the CDATA script and/or right before the tag:

According to a search on urlscan.io, there are currently over 200 sites that have been injected with this skimmer:

A look at the deobfuscated script reveals the exfiltration domain (jquerylol[.]ru) where the stolen data will be sent to:

It’s worth noting that the compromised Magento sites will remain at risk, even if the GitHub-hosted skimmer is taken down. Indeed, attackers can easily re-infect them in the same manner they initially injected the first one.

It is critical for e-commerce site owners to keep their CMS and its plugins up-to-date, as well as using secure authentication methods. Over the past year, we have identified thousands of sites that are hacked and posing a risk for online shoppers.

We reported the fraudulent GitHub account which was quickly taken down. We are also protecting our users by blocking the exfiltration domain.

RELATED ARTICLES

leaking bucket in the cloud
News | Privacy

4.8 million healthcare records left freely accessible

December 13, 2024 - Care1, a Canadian healthcare solutions provider left a cloud storage instance freely accessible and unencrypted for anyone to find.

CONTINUE READING 0 Comments
patched Apple
Apple | News

Update now! Apple releases new security patches for vulnerabilities in iPhones, Macs, and more

December 12, 2024 - Apple has released security patches for most of its operating systems, including iOS, Mac, iPadOS, Safari, and visionOS.

CONTINUE READING 0 Comments
data brokers have lots of location data
News | Privacy

Data brokers should stop trading health and location data, new bill proposes

December 12, 2024 - Senators introduced a bill to stop data brokers from trading in health and location data and enable the FTC to enforce the new rules

CONTINUE READING 0 Comments
TikTok logo
News | Privacy

TikTok ban in US: Company seeks emergency injunction to prevent it

December 10, 2024 - TikTok has requested an emergency injunction to stop or postpone the planned ban on the platform in the US.

CONTINUE READING 0 Comments
Matrix encrypted messaging service seized
News | Privacy

Encrypted messaging service intercepted, 2.3 million messages read by law enforcement

December 9, 2024 - Authorities were able to intercept the Matrix messaging service’s traffic and monitor criminal activity for three months.

CONTINUE READING 0 Comments

ABOUT THE AUTHOR

Jérôme Segura

Jérôme Segura

Sr Director, Research

Contributors icon

Contributors

Threat Center icon

Threat Center

Podcasts icon

Podcast

Glossary icon

Glossary

Scams icon

Scams