MDR vs MSSP vs SIEM: The Evolving Threat Detection Landscape
Nov 29, 2023

Free Template: MITRE ATT&CK Detection Maturity Assessment & Guide
Nov 20, 2023

Tue, Mar 29, 2022
Kroll has investigated many different tactics that threat actors use to steal consumer data on e-commerce sites. These types of attacks can be especially damaging for organizations that are responsible for storing customers’ personal and financial information that is collected during transactions.
One of the most long-lived and persistent threat actor groups is Magecart. Technically, Magecart refers to the multiple cybercriminal groups known to exploit vulnerabilities within Magento e-commerce panels to steal payment card data, personally identifiable information (PII) or credentials through online skimming.
Many of the actors’ methods involve injecting malicious code into e-commerce checkout pages to steal credentials or modifying paths to checkout pages that lead users to enter their payment information on a fake checkout form.
Kroll experts observed one Magecart tactic where attackers inject malicious skimmer code via image files. The malware was designed to mimic a “favicon,” also known as a favorite or shortcut icon, which actors used to modify a file path that leads to a fake .png file. This so-called .png file was then used to load a PHP web shell script to a server that allowed a threat actor to execute commands or maintain persistence within a compromised system. This tactic is more difficult to detect because the web shell injects malicious skimmer code on the server side. In other attacks, actors have created .jpg files and used them to store data they have skimmed until they are able to retrieve it.
Kroll has also observed Magecart attackers modifying paths to checkout pages, leading customers to enter details on a fake checkout form. The attackers captured and exfiltrated online checkout information via a skimmer script. Once the victim enters payment information and hits the submit button on a form, the skimmer can exfiltrate the information to a domain that is owned by the threat actors. From there, the threat actors will pre-fill a fake PayPal payment form in place of legitimate forms. The skimmer will then click the order button behind the malicious iFrame to send the victim back to the legitimate checkout page. This tactic lends credibility to the fake PayPal payment form since autofill is commonly used when checking out from e-commerce sites.
Magecart attackers use various other techniques, from using legitimate websites that contain obfuscated source code to hide malicious skimmer code, to pooling IP addresses to reduce the risk that actor-controlled servers will be taken down. Actors have also used persistent skimming attacks that include running a hidden system process to restore skimmer code to a compromised e-commerce site after being already discovered and removed.
Figure 1 – Example of a threat actor tagging and exfiltrating data
Kroll has seen a series of Magecart attacks where threat actors have written code that included cardholder data rights to a customer’s database. In these instances, customers were unable to detect any illicit activity within their site since the vast majority of the activity was happening within their own legitimate database.
Threat actors would later use an existing web shell to query the database table they’d created, or set an auto exfiltration timer, such that any net new data would be re-queried at a set cadence, often daily or twice daily. This minimized the need for threat actors to return to victim environments and manually exfiltrate data, essentially creating a never-ending stream of fresh cardholder data.
Dan Ryan, Associate Managing Director in our Cyber Risk practice, provides three important steps for protecting your e-commerce platform from Magecart attacks:
Securing your e-commerce platform is crucial to protecting yourself from Magecart attacks. Enabling MFA for every admin, implementing a hosted iFrame with a merchant acquirer, and regularly testing transactions can help keep your online store safe. For further guidance, contact one of our Kroll experts at one of our 24x7 cyber incident response hotlines or connect with us through our Contact Us page.
The article above was extracted from The Monitor newsletter, a monthly digest of Kroll’s global cyber risk case intake. The Monitor also includes an analysis of the month’s most popular threat types investigated by our cyber experts. Subscription is available below.
Sign up to receive periodic news, reports, and invitations from Kroll. Our privacy policy describes how your data will be processed.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll offers a wide range of services for both merchants and payment processors, from audits to incident management services, to pragmatic approaches for strengthening your cyber defenses.
We'll work with you to extract relevant PHI and PII and give you and your legal counsel the best possible guidance around regulation and breach notification.
Our expertise allows us to identify and analyze the scope and intent of advanced persistent threats to launch a targeted and effective response.
Enlist experienced responders to handle the entire security incident lifecycle.