Magecart targets Magento, OpenCart and the Powerfront CMS

Oct 6, 2016 19:00 GMT  ·  By

Over 100 online stores have been compromised with a new type of web malware called Magecart that secretly logs data entered on checkout pages and sends it to the attacker's server.

First signs of this malware appeared in March 2016, but activity started to pick up in May when the first infections started to take root at high-profile online stores.

By the end of June 2016, Sucuri had stumbled upon a variant of Magecart, of which Softpedia reported as targeting Magento stores that used the Braintree Magento extension to support payments via the Braintree platform.

Magecart can target multiple e-commerce CMS platforms

In reality, this was only one facet of the Magecart attack, which companies such as ClearSky and RiskIQ continued to track across multiple online shopping platforms and infections.

The two say that, since March, the group behind the Magecart campaign have improved their capabilities, refining their malicious scripts in order to work across platforms such as Magento, OpenCart, and the Powerfront CMS.

The malware is nothing more than a JavaScript file added to a compromised site's source code. This usually happens when the attacker exploits a vulnerability in the CMS platform or the server itself. Once the attacker has access to the CMS platform or the underlying server, he adds his malicious code to the sites' source code.

Magecart only activates on checkout pages

Magecart infections take place in a two-stage process. In the first step, the script checks if the user is on the checkout page. Only when the user reaches URLs specific to each platform's checkout page does the Magecart script move to the second stage, where it loads the actual keylogger component.

Magecart script included on a live e-commerce store
Magecart script included on a live e-commerce store

This second-stage component is another JS script, meant to log what the user enters in form fields and send the collected data to a remote server under the attacker's control.

The scripts are loaded from domains that change from infection to infection, showing that crooks know how to hide their tracks. All scripts load via HTTPS, and the data is exfiltrated via HTTPS as well.

In cases where the checkout form doesn't gather all the information the attacker wants, Magecart can add input fields to the site's checkout form to collect all the data the attacker craves.

Over 100 stores affected

RiskIQ says Magecart can steal data from online stores that handle their own payment processing operations, or when they leave this to specialized payment solutions.

RiskIQ says Magecart was able to steal credit card information from sites that used the Braintree Magento extension or handled payments via VeriSign.

Some of the most high-profile companies that suffered Magecart infections via their online stores include Everlast and Faber & Faber. The full list of affected sites can be seen below.

The easiest way to safeguard against Magecart infections is to use complex admin credentials and to keep server and CMS software up to date.

Affected Stores

Photo Gallery (2 Images)

Online stores targeted with new Magecart malware
Magecart script included on a live e-commerce store
Open gallery