Researchers at Trend Micro and RiskIQ have pulled the curtain away from a new Magecart sub-group that managed to insert card skimmer code into more than 200 companies by using a third-party vendor as an unwitting accomplice.
This differs from a conventional Magecart attack where the code was slipped directly into the e-commerce site. Ticketmaster and British Airways were among the companies which suffered from Magecart in 2018.
Magecart Group 12 was found to use a skimming toolkit with two obfuscated scripts. The first is primarily for anti-reversing while the second is the main data-skimming code. To be sure the code remains pure a code integrity check is done and the malware continuously cleans the browser debugger console messages to deter detection and analysis, RiskIQ and Trend Micro found.
The data is then sent to a remote server through HTTP POST.
RiskIQ also had some general information on Magecart Group 12 itself.
Group 12 built out its infrastructure in September 2018; domains were registered, SSL certificates were set up through LetsEncrypt, and the skimming backend was installed,” the firm reported.