{"id":18244,"date":"2022-02-10T06:10:10","date_gmt":"2022-02-10T14:10:10","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/02\/10\/news-11977\/"},"modified":"2022-02-10T06:10:10","modified_gmt":"2022-02-10T14:10:10","slug":"news-11977","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/02\/10\/news-11977\/","title":{"rendered":"A new Magecart campaign is making waves"},"content":{"rendered":"<p><strong>Credit to Author: Pieter Arntz| Date: Thu, 10 Feb 2022 13:48:30 +0000<\/strong><\/p>\n<p>Malwarebytes\u2019 researchers are closely monitoring web skimmers and have noticed that one of the infamous Magecart groups is causing a rise in the number of attacks while gobbling up over a quarter of the total number of attacks in one campaign.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Magecart attacks have increased in the past 30 days in part due to a campaign via naturalfreshmall[.]com (<a href=\"https:\/\/t.co\/yvruo8NbuR\">https:\/\/t.co\/yvruo8NbuR<\/a>)<\/p>\n<p>About 28% of all skimmer blocks from our Malwarebytes customers are tied to this domain. <a href=\"https:\/\/t.co\/S1Zha5cICk\">pic.twitter.com\/S1Zha5cICk<\/a><\/p>\n<p>&mdash; Malwarebytes Threat Intelligence (@MBThreatIntel) <a href=\"https:\/\/twitter.com\/MBThreatIntel\/status\/1491496347152773122?ref_src=twsrc%5Etfw\">February 9, 2022<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/div>\n<\/figure>\n<p>What all these attacks have in common is the domain where the malicious javascript is hosted: naturalfreshmall.com. Additional research by <a href=\"https:\/\/sansec.io\/research\/naturalfreshmall-mass-hack\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Sansec<\/a> shows a mass breach of stores running the Magento 1 ecommerce platform that can be tied to this campaign.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">More than 350 ecommerce stores infected with malware in a single day.<\/p>\n<p>Today our global crawler discovered 374 ecommerce stores infected with the same strain of malware. 370 of these stores load the malware via https:\/\/naturalfreshmall[.]com\/image\/pixel[.]js.<\/p>\n<p>&mdash; Sansec (@sansecio) <a href=\"https:\/\/twitter.com\/sansecio\/status\/1486000220647444491?ref_src=twsrc%5Etfw\">January 25, 2022<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/div>\n<\/figure>\n<h2>Magento<\/h2>\n<p>Magento is an Adobe company that offers a hosted and self-hosted content management system (CMS) for web shops. The free version of Magento is open source which offers users the option to make their own changes and allows specialists to create extensions for the CMS.<\/p>\n<p>Magento 1 has reached end-of-life (EOL) and has <a href=\"https:\/\/business.adobe.com\/blog\/basics\/support-magento-1-software-ends-june-30-2020\" rel=\"noreferrer noopener nofollow\" target=\"_blank\">not been supported<\/a> since June 30, 2020. However, the platform is still in use by thousands of online stores. And because there&#8217;s a lack of security patches from Adobe, some are using community-provided patches. As you can imagine, the lack of vendor provided patches makes stores running Magento 1 popular victims for skimmers like Magecart.<\/p>\n<h2>Magecart<\/h2>\n<p>Magecart was originally one group that was partly named after the platform they concentrated on (Magento). But Magecart is no longer just one threat actor. We&#8217;ve seen several groups that are all specialized in cyberattacks involving digital credit card theft by skimming online payment forms. Magecart mainly targets e-commerce websites, aiming to inject JavaScript skimmers on checkout pages.<\/p>\n<p>From a research standpoint, we have observed certain shifts in the scope of attacks. For instance, different threat actors are continuing to expand and diversify their methods and infrastructure. In a blog <a href=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2021\/09\/the-many-tentacles-of-magecart-group-8\/\">post about Magecart Group 8<\/a>, we documented some of the web properties used to serve skimmers and exfiltrate stolen data.<\/p>\n<p>In recent news we <a href=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/01\/segway-store-compromised-with-magecart-skimmer\/\">reported about the Segway online store<\/a> that was compromised by Magecart group 12 who embedded the skimmer code inside a favicon.ico file.<\/p>\n<h2>The attack<\/h2>\n<p>According to the <a href=\"https:\/\/sansec.io\/research\/naturalfreshmall-mass-hack\" rel=\"nofollow\">Sansec research<\/a> the skimmers abused a known leak in the Quickview plugin that is typically used to inject rogue Magento admin users. In this case, the skimmers used it to add a validation rule that they could later trigger by registering as a customer. In investigated cases the attacker left no less than 19 backdoors on the system.<\/p>\n<h2>Keeping your site safe<\/h2>\n<p>We have written an extensive post about <a href=\"https:\/\/blog.malwarebytes.com\/web-threats\/2021\/11\/how-to-defend-your-website-against-card-skimmers\/\">how to defend your website against skimmers<\/a>, but in summary, here&#8217;s what you need to do to keep your site safe:<\/p>\n<ul>\n<li>Make sure that the systems from where the site is administered are clean of malware.<\/li>\n<li>Use strong passwords and do not reuse them.<\/li>\n<li>Limit the number of administrators.<\/li>\n<li>Keep your site\u2019s software updated.<\/li>\n<li>Use a Web Application Firewall (WAF).<\/li>\n<li>Know that each dependency is a potential backdoor into your web pages.<\/li>\n<li>Use a <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/CSP\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Content Security Policy<\/a>\u00a0(CSP).<\/li>\n<li>Make sure you are made aware in case of problems, either by checking yourself or by having it done for you.<\/li>\n<\/ul>\n<p>Stay safe, everyone!<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/web-threats\/2022\/02\/a-new-magecart-campaign-is-making-waves\/\">A new Magecart campaign is making waves<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/web-threats\/2022\/02\/a-new-magecart-campaign-is-making-waves\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Pieter Arntz| Date: Thu, 10 Feb 2022 13:48:30 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/web-threats\/2022\/02\/a-new-magecart-campaign-is-making-waves\/' title='A new Magecart campaign is making waves'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/02\/Online_shopping.png' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>Researchers have noticed and analyzed a massive number of attacks by one of the Magecart groups that can all be tied into one campaign by the domain they are using.<\/p>\n<p>Categories: <a href=\"https:\/\/blog.malwarebytes.com\/category\/web-threats\/\" rel=\"category tag\">Web threats<\/a><\/p>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/magecart\/\" rel=\"tag\">Magecart<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/magento\/\" rel=\"tag\">magento<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/naturalfreshmall-com\/\" rel=\"tag\">naturalfreshmall.com<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/web-skimmers\/\" rel=\"tag\">web skimmers<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/web-threats\/2022\/02\/a-new-magecart-campaign-is-making-waves\/' title='A new Magecart campaign is making waves'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/web-threats\/2022\/02\/a-new-magecart-campaign-is-making-waves\/\">A new Magecart campaign is making waves<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[19622,12370,24928,19624,11716],"class_list":["post-18244","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-magecart","tag-magento","tag-naturalfreshmall-com","tag-web-skimmers","tag-web-threats"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18244","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18244"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18244\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18244"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18244"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18244"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}