Customer engagement service Feedify has been hit by Magecart attackers, who repeatedly modified a script that it serves to a few hundred websites to include payment card skimming code.

The current situation

The compromise was first flagged by someone who goes by Placebo on Twitter and duly reported to the company.

Feedify reacted by nuking the offending script – which was apparently modified on August 17 – but the attackers still had access to the company’s servers and they changed the script again and again.

FYI: Feedify is re-infected with Magecart since about an hour ago, exact time of infection is: Wed, 12 Sep 2018 14:16:02 GMT. URL: hxxps://cdn[.]feedify[.]net/getjs/feedbackembad-min-1.0.js /cc @Placebo52510486 @GossiTheDog @_feedify https://t.co/4DtpP3l0Wd — Yonathan Klijnsma (@ydklijnsma) September 12, 2018

Security researcher Kevin Beaumont advised all vendors to remove the offending JavaScript link from their stores as soon as possible, at least until Feedify definitely boots the attackers from their servers.

The script is currently present on nearly 300 websites, but it’s possible that not all of them require users to input their payment card info.

Feedify has still not publicly acknowledged the situation.

The Magecart threat

RiskIQ researchers use Magecart as an umbrella name for multiple groups, and those have been active for many years now.

Their latest and very prominent targets were TicketMaster and British Airways.

They used to compromise online shops directly, but they’ve become wiser since then and are now also hitting many targets simultaneously by compromising the third-party sources of scripts site owners use to add various functionalities.

In British Airways’ case, they have also gone to the trouble of customizing the skimming script to make it less obvious and to set up an infrastructure that would blend in with normal payment processing to avoid detection.

“The attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer,” RiskIQ’s researcher Yonathan Klijnsma noted. To clear up any confusion, he later pointed out that while the script was a 3rd party library, it was self hosted on the British Airways servers.

“This means the actors modified a script on the server which makes this a direct compromise of BA infrastructure, not a 3rd party,” he concluded.