Magecart Hackers: 2 New Tricks Stealing Payment Card Details


Researchers have discovered two new tricks actively used by a hacker group called the Magecart hackers to steal payment card details. Their target is mainly e-commerce websites and any other platform that hosts a bunch of customers’ payment details.

From their previous successful attacks, they take advantage of vulnerabilities in e-commerce software or security mistakes to infect the targeted platform with a JavaScript called sniffers. This notorious hacker group is known for the attack on Ticketmaster, stealing 400,000 customers data. They were also linked to the British Airways attack after launching just 22 lines of code. 


Image Source:

Researchers have discovered that Magecart hackers steal payment card details using two techniques. One of these tricks is steganography. This involves the hiding of codes under unsuspected files such as an image file to launch an attack.

According to the director of threat intelligent at Malwarebytes Jerome Segura, a Twitter user discovered an image that was actually a credit card skimmer. The image looked like any other free shipping ribbon but actually contained a malicious script that can steal payment card details.

Segura revealed that when the image file gets loaded, the JavaScript gets parsed using the slice() method. It is actually difficult to suspect how dangerous these files are without the help of any scanning tool. The JavaScript was discovered using a container file scanning tool called streika.

The scanning tool grew out of Lockheed Martins Laika Boss scanner. The use of the steganography trick is hard to detect as most scanning tools and crawlers concentrate on HTML and JavaScript files instead of Media files. This makes it hide silently and wait for an opportunity to strike. Media files are mostly large and slow processing making it a favorable environment for these scripts to hide.

According to Segura, the Magecart hackers have also resorted to using another trick called the webSocket protocol for communication instead of using HTTP. The webSocket protocol has the ability of real-time data transfer. However, Segura stated that hackers are not interested in this ability.

According to him, the WebSocket provides a more covet way for hackers to exchange data instead of the usual HTTP request-response. Hackers have over the years changed their approach when the old approach gets exposed. Many of them have developed more potent and less suspicious ways of stealing payment card details to be uploaded on the dark web for sale.

Segura further revealed that after hackers establish the WebSocket connection, the base64 encoded blurb is sent to targets. This is then processed as JavaScript and exfiltrates data as a skimming code. The approach used by the hackers is very difficult to deal with by cybersecurity tools and has the ability to make time for silent operation before discovered.

The number of successful attempts by Magecart hackers using this approach was not revealed, but it is likely that many people have already been victimized by the silent but potent cybercrime method just like their previous successful attempts.


Image Source:

The discoverer of the method advised that the best way to defend against this WebSocket approach is to adjust the connect-src settings in the Content Security Policy on the web page. This helps to control which URL to load using the scrip interface according to the report. It was reported that the Magecart hackers is allegedly made up of about twelve criminal groups.

Their sole mission is to steal payment card details from e-commerce websites and other companies and sell them on the dark web for other criminals to use them for further damage. According to research, thousands of websites have been infected by malicious links used by the Magecart hackers.

Magecart hackers has a common way of launching an attack as discovered in the previous hacks. They injected a modified version of modernizr JavaScript 2.6.2 into the British Airways website to steal payment card details of customers.

According to information, the hackers made the modification with a simple code to redirect payment card details to the hackers’ server anytime someone clicks on the “submit button” after entering payment card information. Most of these created forms look very legit and very difficult to suspect. Not just Magecart hackers, many other hackers have used similar methods to steal millions of credit card details.

Most of the e-commerce websites do not store customers’ payment card details. Due to this, hackers do not mostly attack the platforms directly but redirect their entered payment details to a fake form created by the threat actor. In order to be safe from this, it is important for e-commerce websites to run a constant scan on their platforms to ensure the safety of customers.

Source: Bankinfosecurity

Disclaimer: does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation to the reliance on or usage of any content, goods or services mentioned in this article.

Tags: #Deep_Web_directories #Hidden_Wiki_Links #Deep_Web_Links_and_Web_Sites #Dark_Web_Links #Best_Dark_web_Websites


Please enter your comment!
Please enter your name here