Security experts are warning e-commerce site webmasters to be prepared for more Magecart attacks after spotting skimming code uploaded to a GitHub page.
The hex-encoded piece of JavaScript code was uploaded on April 20 by user “momo33333,” who had joined the software development platform the same day.
“Most often the skimming code — written in JavaScript and obfuscated — is hosted on infrastructure controlled by attackers. Over time, they have created thousands of domain names mimicking Magento, the CMS platform that is by far most targeted,” explained Malwarebytes head of threat intelligence, Jérôme Segura.
“However, as we sometimes see in other types of compromises, threat actors can also abuse the resources of legitimate providers, such as code repository GitHub, acquired by Microsoft last year.”
He warned that over 200 e-commerce sites have already been injected with this particular skimming code.
According to Segura, the compromised sites load the script within their source code right after the CDATA script and/or immediately before the tag.
Although the skimmer was quickly taken down after Malwarebytes informed GitHub, compromised Magento sites are still at risk of malicious injection in the future, he warned.
“It is critical for e-commerce site owners to keep their CMS and its plugins up-to-date, as well as using secure authentication methods,” Segura concluded. “Over the past year, we have identified thousands of sites that are hacked and posing a risk for online shoppers.”
Back in October, a researcher warned that hackers were exploiting multiple zero-day vulnerabilities in Magento extensions which had not been patched by the vendor.
Multiple groups are using the Magecart code to covertly harvest payment card details from e-commerce sites as they are entered by unwitting consumers.
The latest, number 12, was discovered in January targeting French advertising agency Adverline with a plan to compromise its content delivery network via a digital supply chain attack.