Quote:Magecart Group 12, known for skimming payment information from online shoppers, was fingered for last September’s gonzo attack on more than 2,000 e-Commerce sites, and now researchers have issued a report explaining how they did it, detailing a new technical approach. The skimmers are still “very active,” according to the analysis.
The credit-card skimmer group is using PHP web shells to gain remote administrative access to the sites under attack to steal credit-card data, rather than using their previously favored JavaScript code, which they simply injected into vulnerable sites to log the information keyed into online checkout sites, according to Malwarebytes Labs’ Threat Intelligence Team.
Magecart 12, the latest incarnation of the web skimmer group, continues to launch attacks with malware created to mimic a favicon, also known as a “favorite icon” or “shortcut icon.”
“The file named Magento.png attempts to pass itself as ‘image/png’ but does not have the proper .PNG format for a valid image file,” the report said. “The way it is injected in compromised sites is by replacing the legitimate shortcut icon tags with a path to the fake .PNG file.”
But in this instance, the phony favicon is used to load a PHP web shell. The web shell is harder to detect and block, the report adds, because it injects the skimmer code on the server-side, rather than the client side.
“As such, a database blocking approach would not work here unless all compromised stores were blacklisted, which is a catch-22 situation,” the report said. “A more effective, but also more complex and prone to false positives approach, is to inspect the DOM in real time and detect when malicious code has been loaded.”
DOM is short for Document Object Model, which is an API for HTML and XML documents.
Despite the change, the group is still aimed at achieving the same goal: Injecting card skimming malware to steal customer payment-card details.
“Digital skimming or e-skimming attacks are a lucrative source of revenue for cybercriminals as stolen credit-card numbers are worth millions of dollars on the Dark Web,” “Avishai Shafir from PerimeterX said, via email.
Read more: Magecart Goes Server-Side in Latest Tactics Changeup | Threatpost
![[-]](https://www.geeks.fyi/images/collapse.png)
