Magecart Credit Card Skimmer – Gen 2

Magecart is a major (virtual) credit card skimming attack that has taken down the likes of British Airways and Ticket Master, among tens of thousands of other sites.  It works by somehow inserting malicious software into the web server that grabs the customer’s credit card info as they enter it onto the web page.  This can be done by using an unpatched vulnerability on the web site or by compromising an admin’s credentials or other methods.

Of course, web sites might be able to detect that malicious software has invaded its turf, so the hackers evolve.

Enter Magecart Generation 2.

Well, this is not literally true.  This new software isn’t based on the Magecart code, but rather on the Magecart concept.

More than likely, the dirty work of stealing the card data is actually done on the customer’s machine, inside the browser, with code downloaded from the infected server.  Because the data, possibly going to North Korea, is doing that from a consumer’s computer, which has almost no security, no logging, no auditing and no alerting, the odds of being detected before the credit card is used fraudulently, is very low.

Gen 2 is called Pipka and one of it’s neat features (if you are a bad guy) is to delete itself from the web page’s code after it has done its dirty work to make detection and even forensics much harder.

Pipka was discovered by Visa’s anti-fraud team.

They found it on the web server of an American merchant that had been infected with a different bit of malicious credit card skimming code called Inter.  People don’t learn.

In addition to this patient 0, Visa found the code on 16 more merchant sites.  How many more sites are infected?  Unknown.

Since this is an evolution (hence my calling it Gen 2), it is more sophisticated.  It can decide which fields out of the website payment form the hacker wants, that data is encrypted and stored in a cookie (after all, credit card data is only 16 characters for the card number and probably for less than 100-200 characters, you can have everything you need).

Since cookies fly around the Internet all the time and are often encrypted, they would fly under the radar.

As I said before, when the dirty work is done, it deletes itself, making it difficult for developers and investigators to fine.

Of course, once a server is infected, the Visa investigators will eventually track it back to your infected server and that is when all hell will break loose.

In British Airways case, the FINE ALONE – never mind the mitigation, the reputation damage, the credit monitoring services, etc. – cost them $230 million.

All because they didn’t have controls in place to detect this malicious code.  Because their security was not up to the job.

A lot of the sites that have been infected with Magecart are small.  Museum gift shops, for example.  A few very well known brands.

If you accept credit cards online, it is up to you to protect yourself.  Deal with it now or deal with it later.  It tends to be a bit more expensive to deal with it later. Just sayin’

Or wind up on the news.  Source:  CSOOnline


Leave a Reply

Your email address will not be published.