HackRead: Holiday Season Cyber Alert: Reflectiz Declares War on Magecart https://www.hackread.com/holiday-season-cyber-alert-reflectiz-war-on-magecart/ #Cybersecurity #PressRelease #CyberAttack #Reflectiz #MageCart #Skimmer

📬 Web-Skimmer-Angriffe: WordPress und Shopify besonders betroffen
#Datenschutz #ITSicherheit #Akamai #eCommerce #Magecart #Magento #RomanLvovsky #Shopify #WebSkimmer #WooCommerce #Wordpress https://tarnkappe.info/artikel/it-sicherheit/datenschutz/web-skimmer-angriffe-wordpress-und-shopify-besonders-betroffen-275905.html

#MageCart : l’extracteur de données financières ciblerait #WooCommerce depuis les environnements sous #WordPress ! (au moins depuis 2019…)

https://blog.sosordi.net/2023/04/magecart-lextracteur-de-donnees-financieres-ciblerait-woocommerce-depuis-les-environnements-sous-wordpress-au-moins-depuis-2019.html

#securite #data #vieprivee

New #Kritec #Magecart skimmer found on Magento stores

https://www.malwarebytes.com/blog/threat-intelligence/2023/03/new-kritec-skimmer

Added #EKFiddle detection rules for new #Magecart skimmer.

entrydelt[.]sbs/check[.]js
entrydelt[.]sbs/loader[.]min[.]js
flagmob[.]quest/id[.]min[.]js
flowit[.]pics/logg[.]min[.]js
prijetech[.]shop/ww[.]min[.]js
sanpatech[.]shop/techs[.]min[.]js
vitalmob[.]pics/pre-loader[.]js

https://github.com/malwareinfosec/EKFiddle

The #Magecart campaign via ASN RU-JSCIOT is still ongoing.

You've got to give it to them for impersonating legitimate services like chat application Olark for example.

Skimmer code:
static[.]olark[.]org/mod/addons.js
Skimmer exfiltration:
static[.]olark[.]org/t/

More background information on this campaign here: https://www.malwarebytes.com/blog/threat-intelligence/2022/06/client-side-magecart-attacks-still-around-but-more-covert

A couple of new #Magecart domains seen recently:

gtag-analytics[.]com
gogletags[.]click

One thing that caught my attention was code for the Cloudflare endpoint API. It looks like they are collecting IP addresses and user-agent strings for ulterior motives.

https://www.malwarebytes.com/blog/threat-intelligence/2023/02/multilingual-skimmer-fingerprints-users-via-cloudflare-endpoint-api

Website owners should secure their Google Tag Manager account and be on the lookout for injected code that would reference an additional GTM.

Several attacks I've looked at recently used a Google Tag Manager library to load credit card skimmers.

Here's an example and a couple of new #Magecart domains:
webstatlstics[.]com (skimmer)
info-select[.]com (exfiltration)

The breach of LCBO (Ontario’s Liquor Control Board) with a credit card skimmer was malicious code injected inside a Google Tag Manager snippet encoded as Base64.

It only loads the skimmer if the current URL contains the string 'checkou' (note the missing 't'). It then opens a websocket for communication which is more covert than a typical HTTP request.

The #Magecart domain is: magento-cdn[.]net, which was registered less than a month ago.

You can view the code in its entirety on this urlscanio capture flagged by SanSec.io:
https://urlscan.io/result/9b1f4ca6-7a15-4c4a-97f1-c28232f1f3ca/dom/

cc @serghei

Here is the original analysis by MalwareBytes of the mr.SNIFFA framework for credit card skimming | #magecart | https://www.malwarebytes.com/blog/threat-intelligence/2023/01/crypto-inspired-magecart-skimmer-surfaces-via-digital-crime-haven

Hacker stole credit cards from the website of #Canada's largest alcohol retailer #LCBO
https://securityaffairs.com/140823/data-breach/lcbo-magecart-attack.html
#securityaffairs #hacking #Magecart

I recently came across an interesting #Magecart skimmer where the threat actor seemed to be a crypto fanboy.

It's actually using the mr.SNIFFA toolkit and the domains are hosted with Russian-based DDos-Guard.

Thanks to the folks at SilentPush and their service for a deeper look in the infrastructure. Also, to @briankrebs for the name check on the briansclub site selling stolen credit cards.

You can read more about it in this blog post:
https://www.malwarebytes.com/blog/threat-intelligence/2023/01/crypto-inspired-magecart-skimmer-surfaces-via-digital-crime-haven

Found a new skimmer #Magecart

https[:]//vk-0y7l5hkf[.]ru/gate/jquery-static.js

Following the exfiltration path for this credit card skimmer (#Magecart) led to an open directory loaded with stolen CC data.

The domain has now been suspended.

"The Jscrambler research team uncovered a new technique that attackers are using to get more targets: getting control of defunct domains that formerly hosted popular JavaScript libraries."

https://blog.jscrambler.com/defcon-skimming-a-new-batch-of-web-skimming-attacks/

#ecommerce #magecart #pcidss

Google Tag Manager injected with skimmer

Container id: d=GTM-KC9DJLG

Exfiltration domain googletrackevent[.]com was already known.

There's a great report on this #Magecart campaign here: https://go.recordedfuture.com/hubfs/reports/cta-2022-0920.pdf

#Magecart domain to watch out for
googleanalyticstag[.]com (currently does not resolve)

#AxisOfEasy 177: Ding Dong The Flash Is Dead

https://axisofeasy.com/aoe/axisofeasy-177-ding-dong-the-flash-is-dead/

##AxisOfEasy #AdobeFlash #Citizenlab #IMF #Kismut #KlausSchwab #Magecart #NSOGroup #Pegasus #Solarwinds123 #TheGreatReset #TimnetGeru #Zero-click #Zoom

#AxisOfEasy 175: Secrecy Around Top Canadian Cyber-Security Intelligence Officer Caught Spying For China

https://axisofeasy.com/aoe/axisofeasy-175-secrecy-around-top-canadian-cyber-security-intelligence-officer-caught-spying-for-china/

##AxisOfEasy #AlphaFoldAI #AWDL #bitcoin #CameronOrtis #DeepMind #DianneFrancis #Egregor #Ethereum2.0 #Fold@home #GoogleProjectZero #Magecart #NiallFerguson #NICC #RCMP #SansecThreatResearch #TimnitGebru

AxisOfEasy #175: Secrecy around top Canadian cyber-security intelligence officer caught spying for China

https://axisofeasy.com/podcast/175-secrecy-around-top-canadian-cyber-security-intelligence-officer-caught-spying-for-china/

#AlphaFoldAI #AWDL #bitcoin #CameronOrtis #DeepMind #DianneFrancis #Egregor #Ethereum2.0 #Fold@home #GoogleProjectZero #Magecart #NiallFerguson #NICC #RCMP #SansecThreatResearch #TimnitGebru