Magecart group compromises customer ratings tool, affecting ‘hundreds’ of online stores

Researchers with RiskIQ say they have uncovered and helped resolve a credit card-skimming threat that targeted a third-party web app that manages customer reviews.  The company attributes the threat to Magecart, a loosely associated set of hacking groups that exploit vulnerabilities in widely used third-party scripts.

Magecart has been linked to similar payment data breaches with Ticketmaster UK, Newegg, British Airways and others. But Yonathan Klijnsma, head researcher at RiskIQ, explained to CyberScoop that Magecart is more of an umbrella term to describe the independent groups that exchange and imitate other groups’ procedures.

In this case, RiskIQ says that a tool made by e-commerce software company Shopper Approved was compromised by Magecart threat actors, giving them the ability to skim payment information from the checkout pages of “a few hundred” online stores using the tool. RiskIQ labels this Magecart group “Group 5” and says it’s the same one that targeted Ticketmaster.

The tool is a plugin that merchants can use to display customer rating of products. On its website, it boasts that more than 7,000 companies use its tool.

But RiskIQ says that not all Shopper Approved clients were affected because of the way the hackers targeted their skimmer, among other factors. The attack only works when the merchant inserts the Shopper Approved tool onto the checkout page, so the Magecart group used keywords to target the tool only in those cases.

“They filter down on what they’re actually grabbing, because websites will have a ton of forms. Some search pages on websites will also technically be a form that you are submitting, and they don’t want to skim this because it’s just noise,” Klijnsma told CyberScoop.

Additionally, the report notes that many shopping cart platforms — often also third-party plugins — are actively blocking other third-party scripts from even working on checkout pages.

RiskIQ says it made the discovery on Sept. 15 and notified Shopper Approved soon after. The e-commerce company reportedly resolved the issue by removing the skimmer script within two days of the discovery.

Klijnsma noted that Shopper Approved had the best response out of any third-party provider that RiskIQ has notified. The company cut off contact with some Magecart victims, he said, when they got “aggressive” after being notified of a compromise. In statement in RiskIQ’s report, Shopper Approved Scott Brandley echoed the positive sentiment.

“On behalf of Shopper Approved, I want to personally thank the RiskIQ team for the diligence and incredible effort they’ve taken in helping us detect and secure our code in such a short amount of time,” Brandley said. “RiskIQ helped significantly limit the impact caused by Magecart – and for that, we will be forever grateful.”

The Shopper Approved case marks a supply chain hack because, as RiskIQ explains, Magecart targeted a single plugin used by numerous stores, rather than some website in particular.

Klijnsma said it’s not clear exactly how the attackers were able to tap into the code distributed by Shopper Approved. However, he said RiskIQ has observed a laundry list of ways that Magecart groups have hijacked third-party script, like using default default credentials, passwords from past data breaches, exploiting old versions of WordPress or Apache Struts, among others.

“This group specifically, any way they can get in, they will try,” Klijnsma said.

The lesson with Magecart and web app compromises, Risk IQ says, is to clean up online checkout pages and isolate third-party apps, whether they are for ratings, analytics, live chat, ads or something else.

“In effect, when you run a business and have a third party, your attack surface extends to anybody included on your website,” Klijnsma said. “They are all executing some form of code on their website, which means if they are compromised, you are compromised.”