Magecart attackers have infiltrated cloud-based e-commerce provider Volusion to successfully infect at least 6,500 customer websites with malicious code designed to lift payment card information. To do this, they had to first break into Volusion’s Google Cloud environment.
Volusion is the latest target of Magecart, a threat that was first spotted a decade ago but has been ramping up over the past couple of years as attackers explore new vectors for compromise and it becomes easier to rent a skimmer kit, track malicious activity, and automate attacks at scale. Skimmers have been detected on more than two million sites, RiskIQ reports.
“During our investigations of Magecart, we have found that the attackers seem more experienced and thoughtful than many other skimmer groups,” Trend Micro researchers say in an interview with Dark Reading. “There are multiple Magecart actor groups who continually shift their tactics to improve their infection rates and revenue opportunities.”
As Afrahim explains, storage.googleapis.com is a Google Cloud Storage domain name for a file storage web service. Anyone can register, pick a bucket name, and serve their own content.
The second part of the script reads the stored data and posts it to the attackers’ primary server: hxxps://volusion-cdn.com/analytics/beacon. As Afrahim points out, even an analyst may look past a domain name like this, designed to blend in with Volusion. A GET request to Volusion-Cdn[.]com redirects to a legitimate Volusion CDN. However, he discovered the domain was only registered on September 7 and has nothing in common with Volusion infrastructure or name servers.
The Volusion incident can most likely be attributed to Magecart Group 6, also known for last year’s attack on British Airways, says Jerome Segura, head of threat intelligence at Malwarebytes. “They target sites that generate a lot of transactions, which helps them maximize their attack in a short time frame,” he explains.
Group 6 was recently identified as the FIN6 APT. Part of their tactics, techniques, and procedures involves creating exfiltration domains that mimic their victim, which aligns with their efforts to blend in and evade detection.
Service Providers Are Hot Targets
A September Magecart attack targeted the booking websites of chain-brand hotels, marking the second time Trend Micro saw attackers hitting e-commerce service providers instead of individual shops. In May, another skimming campaign hit the online stores of college campuses.
Adversaries are after the most accessible entry point. Many have targeted misconfigured AWS accounts because they’re the most obvious opening that will likely be unnoticed, but ultimately they’ll go after the vector that will give them the highest payout with the fewest resources.
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio