GoggleHeadedHacker

About Me RSS
12 March 2020

Recent Magecart Activity on 60 E-Commerce Sites

by Jacob Pimental

I have recently found a few new domains that are associated with Magecart activity. This article will provide a brief overview of each domain, and will include information about the infected companies.

Jsvault.net and fileskeeper.org

Both of these domains are hosting the sames files and attacking the same companies. So it is safe to assume that they are from the same attacker. This campaign has attacked 17 companies, many of which are still compromised. The attackers seem to have created a unique script for each company they targeted, usually loading the script <company_name_here>.js.

Here is a table of the infected sites found so far:

Company Site First Seen Still Compromised
dropshippingbay.com www.dropshippingbay.com 2019-09-10 Yes
TAFE TRIBE tafetribe.com 2019-09-11 Yes
POSH Mommy www.poshmommyjewelry.com 2019-09-28 Yes
Cvapor www.cvapor.com 2019-10-06 No
GENERATION www.generation.com.pk 2019-10-28 Yes
Royal Slengor intl.royalselangor.com 2019-11-14 No
Kazem www.kazemhair.com 2019-11-15 No
K.L. Security www.safefile.com 2019-12-03 No
Pontto Lavabo ponttolavabo.com.br 2020-01-03 Yes
Crystal-Fashion® crystal-fashion.ro 2020-01-13 No
Serigrafiaitalia www.cplfabbrika.com 2020-02-07 No
Elgi Ultra Industries Limited www.elgiultra.com 2020-02-21 No
Village Farm Grocery villagefarmgrocery.com 2020-03-03 Yes
Car Seat Covers Direct www.carseatcoversdirect.com 2020-03-04 Yes

The script itself uses a fairly simple obfuscation technique where it runs a function at the beginning that contains some encoded text. The decoded text is a list containing information the skimmer needs to send information to the C2 (which is normally jsvault[.]net).

Sucuritester.com

This script is fairly new. I have only found references to it dating back to Feb 29th, 2020. It uses a list of base64 strings and a predefined function that will decode and decrypt them to get the information the skimmer needs to function correctly. Interestingly enough, the URL for the gate it sends the credit card information to is in plaintext in the script, so no real decryption is necessary.

The most interesting target of this campaign were multiple sites that sell items related to OSHA policies. After contacting the site ownsers it was made clear that these sites do not have an official affiliation with OSHA and instead sell products to help clients be OSHA compliant. Either way, they have removed the script not long after getting infected. Here is the table of the infected sites so far:

Company Site First Seen Still Compromised
CityPharma pharmacie-citypharma.fr 2020-02-28 No
King Palm kingpalm.com 2020-03-03 No
ALVARO MORENO www.alvaromoreno.com 2020-03-06 No
OSHA laborlawposters.org
hrsupportcenter.theoshastore.com
www.osha4less.com
2020-03-05
2020-03-06
2020-03-06
No
No
No
Misty Mountain Soap Co. mistymountainsoap.com 2020-03-06 Yes

Linkedtop.com

Linkedtop[.]com uses a list of base64 encoded strings to store information. It also appears that the script has the JSEncrypt library written inline, which is used to send the encrypted credit card data back to the malicious actor. This is also a fairly new script, with the earliest infection dating back to Feb 27th, 2019. Here is a list of the compromised sites:

Company Site First Seen Still Compromised
Madame Bridal madamebridal.com 2020-02-27 Yes
WEI Beauty weibeauty.com 2020-02-28 No
Forestfarm at Pacifica www.forestfarm.com 2020-03-01 Yes
Vapergate vapergate.com 2020-03-05 Yes
Girls on the Run® gotrshop.com 2020-03-06 Yes

Jquerycdnlib.at

This skimmer does not try to obfuscate its code at all. This is also the domain with the highest number of infections and the longest running campaign out of this bunch. The earliest infection seen goes back to Oct 1st, 2019, with some of those sites still infected today. Here is the list of impacted sites:

Company Site First Seen Still Compromised
UCC ucc-bd.com 2019-10-01 Yes
Pretty Salon prettysalonusa.com 2019-10-01 Yes
Prestige Fancy www.prestigefancy.com 2019-10-01 Yes
Pizzaholic www.pizzaholic.net 2019-10-01 Yes
Mdc Publishers www.mdcpublishers.com 2019-10-01 Yes
Kings2dental www.kings2.com 2019-10-01 Yes
Two A Jewelery eu.twoajewelry.com 2019-10-01 Yes
Diamond Blade Dealer www.diamondbladedealer.com 2019-10-01 Yes
Right Way HP www.rightwayhp.com 2019-10-01 No
Walter Tool waltertool.com 2019-10-01 No
Silicone Solutions siliconesolutions.com 2019-10-02 Yes
Regal Pens www.regaltw.com 2019-10-02 Yes
Stylish Fashion www.stylishfashionusa.com 2019-10-02 Yes
Board Book Albums boardbookalbums.com 2019-10-02 Yes
Shopatsimba.com www.shopatsimba.com 2019-10-03 No
X Prints www.xprintsdisplays.com 2019-10-04 Yes
Posimplicity www.posimplicity.com 2019-10-07 No
Vados Bait & Tackle www.vadosbait.com 2019-10-07 No
Urban Carry Holsters urbancarryholsters.com 2019-10-15 No
Psychology Pride www.psychologypride.com 2019-10-17 Yes
Red Dot Arms www.reddotarms.com 2019-10-22 No
Jan Marini www.janmarini.com 2019-11-03 No
Bula Verdde www.bulaverdde.com.br 2019-11-05 No
Steelio www.steelio.com 2019-11-07 Yes
Osborn www.shoposborn.com 2019-11-08 Yes
Harraca harraca-usa.com 2019-11-11 Yes
Petrx2go www.petrx2go.com 2019-11-13 No
Black Widow Custom Bows blackwidowbows.com 2019-11-14 No
Unlimited Wares www.knifelegend.com 2019-11-14 Yes
Keldan www.keldan.com.au 2019-12-10 Yes
Comit Stores www.comitstores.com 2019-12-12 No
US Animo usanimo.com 2019-12-17 No
Bantiny www.bantiny.com 2019-12-19 No
Ameda Direct babycarriersdirect.com 2019-12-23 No
High Performance Uni highperformanceuniforms.com 2020-01-05 Yes
BEHC sdwhpa.cn 2020-01-29 No
Jiffy Steamer jiffysteamer.com 2020-02-01 No
The James Trading Group www.jtgsites.com 2020-02-04 Yes
Honor Canvas honorcanvas.com 2020-02-05 No
Cockpit Hotel puerariamirifica.com 2020-02-07 No
The Health Store www.thehealthstore.ie 2020-02-16 No
Flexineb shop.flexineb.us 2020-02-16 No
LumaDent lumadent.com 2020-02-19 No
Alexander + David alexanderdavid.com 2020-03-02 Yes
Ventamatic bvc.com 2020-03-02 No
Medical Part Shop www.medicalpartshop.com 2020-03-04 Yes

Disclosure

All of the sites have been contacted about the infection. Only two of the sites hae contacted me back and have removed the infection. I have not heard back from any of the others.

Domain Takedown

I have contacted the registrars of the malicious domains, urging them to take the domains down. There has been no word back from them as of the time of writing and the domains are still up.

Conclusion

It is a little unsettling how easy most of these sites can be compromised. All of the listed sites are running an outdated version of Magento, some as old as version 1.5 which was released in 2011. If the sites do not patch, they will most likely be hit again. Hopefully these posts are spreading awareness of credit card skimming attacks and convincing companies to patch their systems. If you have visited any of the listed sites recently, please contact your bank and ask for a new credit card as your current card could be compromised. All of these domains were found using an automated tool I have been developing in my free time. I hope to release this tool soon. I will also be giving a talk on Hungting for Magecart at BsidesCharm where I will talk about methods used for hunting down infections and disclosing information appropriately. You can check it out on BsidesCharm’s website. If you have any questions or comments feel free to let me know on my Twitter or LinkedIn. I am always looking for feedback!

Thanks for reading and happy reversing!

tags: Reverse Engineering - Malware Analysis - Magecart - Skimmer - JavaScript