Magecart cyberattacks target Magento eCommerce platforms, injecting malicious JavaScript code that compromises checkout pages, steals payment card data, encrypts it, and exfiltrates to a remote server for subsequent misuse.
Researchers discovered sophisticated malware targeting Magento checkout processes by employing advanced obfuscation to evade detection, compromising both the filesystem and database.
On the basis of their blocklist, VirusTotal has identified two domains as malicious. However, public reports indicate that these domains may be infecting websites with malware.
They flagged a malicious script from blacklisted domain dynamicopenfonts.app in a Magento store’s layout file (default.xml) and database configuration (core_config_data table).
The XML file contained a malicious <referenceContainer> directive, which loaded an obfuscated JavaScript script just before the closing </body> tag, potentially compromising the system.
It executes a function that checks the URL for the word “checkout” but excludes URLs containing “cart,” which ensures that the script’s actions are limited to specific checkout pages, preventing unintended behavior on other pages.
The script harvests sensitive credit card and user data from Magento’s checkout page, which encodes the stolen data as JSON, XOR-encrypts it with the key ‘script’, and Base64-encodes it for secure transmission.
Malware in compromised forms extracts and encrypts stolen payment details, then uses beaconing to transmit the base64 encoded data to a remote server likely hosting on staticfonts.com.
Beaconing is a covert technique where scripts or programs silently transmit data from user devices to remote servers without user awareness, which is exploited by both legitimate and malicious entities, making it a preferred tool for cyberattacks.
Magecart-style skimmer targets Magento checkout pages to steal payment data via form injection or input field extraction, where the threat actor employs dynamic techniques and encryption to evade detection, necessitating proactive security measures like regular audits, anomaly monitoring, and WAF deployment.
According to Sucuri, to enhance website security, regularly update software and plugins, and use strong, unique passwords for admin accounts. Alternatively, deploy a WAF for additional protection against vulnerabilities.
While to safeguard website integrity and prevent unauthorized access, implement file integrity monitoring to promptly detect file modifications and deploy a web application firewall to filter malicious traffic, thus enhancing overall system security.