A new MageCart attack made the headlines, this time the gang compromised the website of popular Focus Camera.

The Magecart group has compromised the website of the photography and imaging retailer Focus Camera. The hack took place last year, the hacker planted a software skimmer on the website to steal payment card data of users that purchased the products on the portal.

Like other Magecart attacks (i.e. British Airways) the attackers registered a domain resembling a legitimate brand or product, in this case, they used the “zdsassets.com” a domain that resembles ZenDesk’s website “zdassets.com.”

The ‘ zdsassets.com ‘ domain was registered on 2019-11-08, while the e-skimmer was discovered by the researcher Mounir Hahad from Juniper Networks.

The attackers used the script to load a payload encoded using base64 and developed to steal personal and payment card data (email, customer name, address (billing, and shipping), phone number, and card details (number, expiration date, CVV code).

“Based on some DNS telemetry we have access to, this C&C domain has been resolved 905 times since it was created, which may be an indication of the number of victims of this card skimming operation.” reads the analysis published by the expert. “It is possible the same C&C domain is being used across multiple compromised shopping sites and campaigns – At this time, we don’t have any telemetry to prove it one way or the other.”

The expert noticed that that the script was stealing data of customers who check out as a guest, he did not test the checkout process for registered users.

Juniper researchers reported their findings to the Focus Camera website that removed the malicious code.

“ MageCart continues to pose significant risk to online shopping and is expected to be one of the top cyber security stories of 2020. It is possible for site owners to guard against this attack by ensuring the integrity of their site’s source code.” concludes the expert.

Pierluigi Paganini