Smilodon Webshell Powers a Magecart-like Skimming Campaign

Keeper Mahecart Group

The Magecart gang inspired hundreds of cybercriminals to employ Web-based skimmers in their malicious attacks. The good news is that these campaigns are not that widely spread – attackers who want to get involved need to compromised an online vendor's website or server first and then deploy the malicious code responsible for the card-stealing attack. One of the latest campaigns of this sort is executed with the use of a new webshell called Smilodon or Megalodon. The Smilodon Webshell was found planted on Magento-based eCommerce websites, and researchers also discovered malicious code meant to hijack payment data from customers.

It is important to note that the usage of the Smilodon Webshell is a predecessor to the card skimming attack. This webshell supports many additional commands, which would enable the attacker to take complete control over the compromised Web server. Of course, simply destroying the website is not profitable – this is why the criminals are employing malicious JavaScript code to steal data from customers.

The bad news about the recent card-skimming attack involving the Smilodon Webshell is that the attackers have adopted a new method of loading the JavaScript code in the compromised website. This is meant to help them dodge security software that would block the suspicious connection/page. Thankfully, their experiment is not that successful, and users relying on reputable anti-malware software are likely to see a warning when they visit a compromised Web page that looks normal but behaves abnormally in the background.

Web-based skimming attacks are exceptionally dangerous since customers are the ones having their data stolen, while the shop administrators may have no clue that their server has been compromised. Because of this, such attacks may often go unnoticed for months in case the eCommerce website's administrators do not take the necessary measures to identify and intercept such attacks. Another example of a similar attack can be found at Magecart Malware Scraped Card Data for 8 Months From a British Outdoor Clothing Retailer.

May 14, 2021

Leave a Reply