Magecart hacks Shopper Approved to simultaneously hit many e-commerce sites

New WAF attack timelines show the start and end of a threat.
No more logs. See how →

The cybercriminal groups under the Magecart umbrella strike again and again, and one of them has apparently specialized in compromising third parties to more easily get in as many online shops as possible.

The latest target of Magecart Group 5, as it has been dubbed by RiskIQ researcher Yonathan Klijnsma, is Shopper Approved, an organization that provides rating seals for online stores.

Magecart hacks Shopper Approved

The Shopper Approved compromise

The attackers have managed to compromise the Shopper Approved plugin, which is present on thousands of e-commerce sites, on September 15. It took two days for the organization to react to RiskIQ’s notification and to remove the Magecart skimmer code from it.

In those two days, only the shops that don’t block third-party scripts on checkout pages, have the plugin on their checkout pages and have a checkout page with specific keywords in the URL have been affected.

Shopper Approved says they’ve launched an investigation with the help of an outside IT forensics firm and that they’ve contacted potentially affected customers directly to let them known about the incident.

The group behind this attack appears to be the same one that perpetrated the Feedify compromise, as in both cases the same drop server (info-stat.ws) for the stolen payment card info was used.

A warning for everyone

Klijnsma says that RiskIQ is planning to release a report on the Magecart groups later this month and warns that they show zero signs of stopping.

Magecart groups started by attacking low-tier Magento stores, then switched to CDNs to increase their reach, and have learned to “tune” the CDNs they compromise to ensure that the only sites they hit are online stores.

“To achieve their goals, they will go after any analytics company, CDN, or any service supplying functionality to e-commerce websites,” he noted, and advised e-commerce companies to remove third-party code from their checkout pages whenever possible.

He also pointed out that affected organizations that use CDN services for caching should purge the cashing after they remove the skimmer code from their site. “We’ve noticed that often the skimmer code will be cached in the CDN and stay active there long after the skimmer is cleaned up from an affected site.”

Both Klijnsma and security researcher Willem de Groot also warned people investigating Magecart groups to be careful not to get spotted.

Are you protecting your users and sensitive O365 data from being leaked? Learn how Specops Authentication for O365 can help.