Are Weak Passwords to Blame for the Attack on Feedify?

Feedify Magecart

The Magecart cybercrime gang appeared in 2015, and at first, it didn't seem like the most sophisticated group of hackers to have ever walked the Earth. Their specialty is infecting e-commerce websites with malware and skimming credit card details of all the innocent online shoppers. At first, the Magecart hackers were mostly focused on lower-profile websites created with open-source content management systems like Magento.

They targeted this type of websites for one simple reason – the software that is used to create and administer them is often riddled with security vulnerabilities, and although patches are usually released pretty quickly, the owners simply don't have the habit of applying them. This combination of less-than-perfect security and lack of updating habits make this type of websites extremely appealing to cybercriminals.The Magecart gang made quite a lot of money from these shops, but apparently, it wasn't enough.

Over the last few months, they learned some new tricks and decided to go after a few more substantial targets. In June, around 40 thousand Ticketmaster customers fell victim to Magecart's skimming malware, and earlier this month British Airways' website sent the credit card details of many individuals to a server controlled by the gang. This time, the number of victims seems to be closer to 400 thousand. There's no sign of slowing down, unfortunately.

The Feedify hack – killing hundreds of birds with one stone

After the news of the British Airways breach broke, independent security researchers and experts working for RiskIQ started looking for Magecart's next victim. They found some malicious code that looked like the Magecart malware in a JS file that was hosted on the servers of Feedify. This immediately set off some alarm bells because Feedify is not just another online shop. It's an Indian company that develops tools which let website owners send you push notifications.

You don't install these tools on your own server. Instead, you just add some code to your website which, in turn, pulls the functionality from files hosted on Feedify's servers. One of these files, as you might have guessed already, was the one the researchers found.

In what is a textbook example of a supply chain attack, the Magecart gang injected their JavaScript directly into one of Feedify's tools and thus managed to pull credit card details from customers of no less than 275 different websites.

Feedify: Hack? What Hack!?

The security researchers notified Feedify, and the developer quickly deleted the malicious code. Then, the hackers added it again and Feedify removed it. The Magecart gang injected the malware for the third time, and after it was removed yet again, they got either bored or cut off because since then, Feedify's JS files have been clean.

It was a fairly impactful attack. As we mentioned already, 275 websites were affected, and although this is a relatively small portion of Feedify's claimed 4,000 customers, it's by no means an insignificant number. What's more, the malicious code was first uploaded on August 17 and it remained live until September 11, so it likely slurped the credit cards of quite a few people.

But who are these people exactly? Well, Feedify isn't ready to disclose this kind of information. In fact, the developer's head-in-the-sand approach is somewhat baffling. The company made no announcement, it refused to talk to the media, and for the last ten days, it has acted as if nothing has happened. They are even pushing out blog posts telling you how important customer engagement is.

Thankfully, although Feedify's people won't do the decent thing and tell the world what went wrong, the security experts will do just that. Ever since they first discovered the malware, the specialists have been notifying affected websites who will hopefully get in touch with potential victims to tell them what has happened exactly.

It should be pretty obvious that if you shop online regularly, you must keep a close eye on your bank statement for any suspicious charges. And if you own an online shop, this whole incident should be a pretty good illustration of why you shouldn't let third-party code on your payment pages. We hope that some lessons will be learned.

September 21, 2018

Leave a Reply

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as is:
What is 6 + 8 ?