Magecart Malware Scraped Card Data for 8 Months From a British Outdoor Clothing Retailer

Páramo Magecart Attack

Earlier this year, 18 different users complained to PayPal about fraudulent transactions observed on their bank accounts in a relatively short period of time, and after an investigation, the payment processor realized that they had one thing in common: they had all shopped at Páramo, an online shop selling outdoor clothing and gear. PayPal is responsible for processing Páramo's payments, so, naturally enough, it immediately notified the vendor. An investigation soon revealed that Páramo had been hit by what The Register described as Magecart.

Páramo suffers an e-skimmer attack

The term "Magecart" appeared a few years ago when cybercriminals developed a piece of malware capable of scraping credit card data during the checkout process at online shops. The "Mage" part of the name was put because Magecart was designed to attack websites built with the Magento open-source platform, but it has now come to be associated with virtually all online skimming operations. Over the years, Magecart attacks have been launched by a variety of different cybercriminal gangs against targets of all shapes and sizes. Páramo is the latest in a long line of Magecart victims, and when you learn how the attack worked in this particular case, you'll see why the hackers love this breed of malware so much.

The initial infection vector remains unknown for now. Security researchers recently noticed a trend towards installing e-skimmers on Magento-based websites that use an unpatched plugin, but it is not clear whether this same technique was used in the case of Páramo. The hackers did manage to gain deep enough access to upload a JS file and then modify one of the website's PHP pages. As a result, during the checkout process, Páramo would seemingly operate as intended. The payments would be processed by PayPal, and the orders would be logged as per usual. In the background, however, the malicious JS file would scrape customers' credit card data and would forward it to the cybercriminals. Everything from the cardholder name to the CVV code on the back of the card is affected, and it's no wonder that the 18 users noticed unusual activity around their bank accounts.

The malware stayed undetected for a whopping 8 months

Páramo told The Register that the Magecart actors managed to steal the details of 3,743 cards, which, considering the size of some of the other breaches we witness every day, doesn't appear to be that much. The malware remained undetected on the website for quite a while, however, which shows just how dangerous it can be.

Páramo located and removed the Magecart malware in March, but when its security IT specialists checked the logs, they realized that it was first installed way back in July 2019. Even the quarterly security scans Páramo pays for failed to detect the malware, and over the next eight months, nobody suspected a thing.

Magecart is shaping up to be one of the biggest threats to online stores. It has already played the main role in quite a few major incidents, and the cybercriminal operations based around it are pretty successful. Although they are tasked with handling users' financial information, many administrators of online shops don't pay enough attention to security and run their websites on old, unpatched technology, which makes the crooks' job even easier. If you're responsible for the security of an ecommerce website, make sure Magecart takes a central place in your threat model. If, on the other hand, you're an avid online shopper, you could do worse than check your bank balance regularly and timely report any suspicious transactions.

May 22, 2020

Leave a Reply