Ecommerce Shopping Carts Targeted with Magecart Keylogger Malware

Reading Time: 5 mins

Earlier this month, over 5,900 online stores were found to be infected with online skimming malware. Since March 2016, credit card details have been stolen during online payments from online stores, infected with a malicious JavaScript code dubbed “Magecart”.

RiskIQ identified a new threat, Magecart, earlier this year – and found it has now compromised over 100 online stores. This is a new, more obscure risk for ecommerce stores, in the form of a threat actor injecting a keylogger directly into a website.

Essentially, it skims credit card details from shoppers, due to unpatched flaws in security. Big brands such as Faber and Faber and Everlast have been affected so far, and it is a growing problem within the industry.


What is Magecart?

“Magecart” is a new compromise that injects malicious JavaScript code into the website, and acts as web-based keylogger injection attacks. RiskIQ observed this campaign back to at least March 2016, and has seen new attacker infrastructure rolling out since this date.

The RiskIQ analysis states: “Most methods used by attackers to target consumers are commonplace, such as phishing and the use of malware to target payment cards. Others, such as POS (point of sale) malware, tend to be rarer and isolated to certain industries. However, some methods are downright obscure—Magecart, a recently observed instance of threat actors injecting a keylogger directly into a website, is one of these.”

By injecting a keylogger directly into target websites, attackers can capture and collect payment card information. This data was stolen even if the seller worked according to PCI standards, and did not keep payment information in a database after the purchase has been completed.


What makes Magecart different?

Magecart is a major threat for a number of reasons:

  1. Magecart affects sites on multiple ecommerce platforms, including Magento Commerce, Powerfront CMS and OpenCart.
  2. Multiple payment service providers linkages are targeted, including Braintree and VeriSign.
  3. Formgrabber content is hosted on remote attacker-operated sites, and served over HTTPS. The data is exfiltrated to these sites using HTTPS.
  4. The malicious content has been refined, with samples showing signs of testing and capabilities development, increased scope of targeting payment platforms, testing of enhancements, addition of obfuscation, and attempts to hide behind brands of web technologies.
  5. Code is injected which can create bogus form fields to extract extra data.

Back in May 2016, RiskIQ saw Faber and Faber were serving Magecart injections from the Magento site. The infection takes place in two stages – with the script checking if the user is on the checkout page, and when they reach the designated checkout page, the script loads the keylogger component.


However, RiskIQ also noted that many of the affected merchants are in the fashion industry, which is largely down to the fact ecommerce is very popular for fashion storefronts. RiskIQ stated that Magecart can steal data from stores that handle their own payment processing, or when it is left to specialised payment solutions


Take necessary security measures

Attackers are always advancing their capabilities in order to seize revenue opportunities, and it’s becoming more imperative for ecommerce site owners to take every step possible in order to secure data and safeguard payment card information.

Whether your site has been affected or not, you need to take your online security seriously. It’s important to safeguard your store by using complex admin credentials, and keeping server and CMS software updated. If you are affected by cybercrime or a data breach, you can suffer a loss of revenue, customers, trust, and loyalty.

How we can help

Here at Xanthos, we design and build our ecommerce stores on AspDotNetStorefront, a secure ecommerce platform with a huge range of functionalities.

AspDotNetStorefront has been defending against the JavaScript injection attacks, and all the penetration scans have shown that the code in AspDotNetStorefront v10 does not suffer from this vulnerability.

If you’re looking to take your ecommerce store to the next level, get in touch today, and a member of the team will be in touch shortly.