Researchers found a new type of malware that targets payment pages on legitimate Magento-hosted retail sites. Dubbed CartThief, the malware’s behavior is similar to that of the current iteration of the Magecart malware.
As soon as credit card information is entered into a checkout page and a payment is submitted, the malware collects, encrypts and sends personally identifiable (PII) and financial information to the malicious actors’ command-and-control server.
What sets this malware apart is the method used to encode or obfuscate the malicious domain and the PII data collection activity. To avoid arousing suspicion and sneak past many blocking technologies, there are no user-identifying cookies or source codes to set off alarms for users. The absence of cookies is one feature that differentiates CartThief from other Magecart variants.
“The fact that the malware targets sites using a variety of payment gateway providers calls into question the effectiveness of PCI DSS security standards for online businesses, in particular the absence of a requirement for businesses to know and manage all third-party code present on their sites and apps,” wrote Michael Bittner, digital security and operations manager at The Media Trust.
By exploiting vulnerabilities in web applications, bad actors were able to attack Magento-hosted e-commerce sites and insert rogue files into legitimate HTML code, granting them access to the payment page. Because the activity has only been executed on a handful of smaller e-commerce sites, researchers believe that the attackers are intentionally flying under the radar while testing the malware before staging a larger-scale attack, which they suspect could come during the holiday shopping season.
“Given increasing malicious activity and the advent of financial penalties, e-commerce operations should police their digital ecosystem for any unauthorized activities and actors by continuously scanning their sites. Doing so will help them pre-empt any security issues,” Bittner wrote.