Compromised ad company serves Magecart skimming code to hundreds of websites

Security researchers have flagged a new web-based supply chain attack by one of the cybercriminal groups that fall under the Magecart umbrella.

Magecart supply chain attack

The attackers managed to compromise Adverline, a French online advertising company with a European-focused clientele, and inject payment card skimming code into one of its JavaScript libraries for retargeting advertising.

The targets

“Web-based supply chain attacks compromise vendors that supply code often used to add or improve site functionality. This code integrates with thousands of websites, so when it’s compromised, the sites of all of the customers that use it are compromised,” RiskIQ researcher Yonathan Klijnsma explains.

Trend Micro researchers found the malicious skimming code loaded on “277 e-commerce websites providing ticketing, touring, and flight booking services as well as self-hosted shopping cart websites from prominent cosmetic, healthcare, and apparel brands”.

The compromise and the script

RiskIQ researchers believe that the group that mounted this attack is relatively new and previously performed only direct compromises. They call it Magecart 12.

The group apparently started readying the attack infrastructure in September 2018, but the Adverline compromise was effected at the end of December 2018.

“Magecart Group 12 uses a skimming toolkit that employs two obfuscated scripts. The first script is mostly for anti-reversing while the second script is the main data-skimming code. They also include code integrity checking that detects if the script is modified. The check is done by calculating a hash value to the script section, and stops the execution of the script if it finds that it doesn’t match the original hash,” Trend Micro researchers found.

The script also constantly cleans the browser debugger console messages to deter detection and analysis and uses fingerprinting routines to confirm that the browser session is from an actual consumer.

The main skimming code first checks whether the script is executed on a “Shopping cart” page by searching for a number of strings that are usually found on this type of page, e.g., “purchase”, “cart”, “paiement” (“payment” in French), and “kasse” (“checkout” in German).

Magecart supply chain attack

If it detects one or more of them, it springs into action: it steals the entered payment and billing data, assigns an identifier to it, encodes it all, and uses the use localstorage capacity of the visitor’s browser to store it.

Once the payment web page is closed or refreshed, the information is sent to a remote server operated by the criminals.

The aftermath

Trend Micro notified Adverline of the compromise, and the company has “handled the incident” and “carried out the necessary remediation operations in relationship with the CERT La Poste.” (Adverline is owned by Mediapost, a subsidiary of Le Groupe La Poste. CERT La Poste is the main public point of contact for any information technology security issue regarding Le Groupe La Poste and its subsidiaries.)

RiskIQ tried to get the domains involved in the attack taken down, but found that they have stopped functioning due to their DNS records changing.

“However because the registrar hasn’t responded to our takedown requests as of this writing, we do not know if the attackers still have control of the domains to continue the attack later,” they noted.

Unfortunately, end users can’t do much to prevent their information being stolen in this type of attack.

Disabling JavaScript would work, as these skimmers are JavaScript scripts, but the move often breaks important functionality on many web sites and would likely prevent them from making online purchases.