Magecart Hits Popular Customer Review Plugin

Written by

The infamous Magecart digital skimming code has been found again, this time inserted into a customer rating plugin used on thousands of e-commerce sites.

RiskIQ, which has been tracking the groups behind Magecart for a couple of years, was alerted to the latest discovery on September 15.

This time, the malicious JavaScript was inserted into the code of Shopper Approved, a popular plugin that lets customers leave reviews with online retailers and the like.

In that respect, it’s a supply chain attack of the sort seen with Ticketmaster partner and Inbenta Technologies rather than a direct web compromised as per British Airways.

It could be the same group as one which inserted Magecart into Feedify last month, as the two attacks shared the same server for exfiltrating skimmed card details to, according to RiskIQ threat researcher, Yonathan Klijnsma.

Interestingly, the attackers also made a mistake with the Shopper Approved campaign, initially forgetting to obfuscate their code, which has given RiskIQ some useful info.

Thanks to the speedy action of Shopper Approved — which removed the script two days later, lunched a full investigation and brought in forensic experts — only “a small fraction” of its clients were apparently affected.

Klijnsma argued that all e-commerce players should block third-party scripts from being displayed on checkout pages, to mitigate the Magecart threat — which has been traced to six groups, although there could be more out there.

“Magecart groups are carrying out a full-scale assault on e-commerce and show zero signs of stopping. These attacks are only getting more and more traction as the groups learn how to become more effective,” he concluded.

“While initial attacks involved low-tier Magento stores, later attacks targeted CDNs to increase their reach. Now, Magecart operatives have learned to tune the CDNs they compromise to ensure that the only sites they hit are online stores. To achieve their goals, they will go after any analytics company, CDN, or any service supplying functionality to e-commerce websites.”

What’s hot on Infosecurity Magazine?