Magecart’s Payment Card Data-Skimming Code Found on Forbes Magazine’s Website

The cybercriminal group Magecart has struck again, this time injecting their payment card data-skimming script into the subscription page of Forbes Magazine. The malicious script collects credit card information, which includes the customers’ names, addresses, contact numbers, and emails as well as the credit cards’ expiration dates and CVV/CVC verification codes. The malicious script has since been removed from Forbes’ subscription page.

The malicious activity, uncovered by Bad Packets’ Troy Mursch, is just one among a string of Magecart-related incidents. Last week, security researchers Willem de Groot and Yonathan Klijnsma spotted Magecart targeting web-based service providers, including CloudCMS, Picreel, and AdMaxim.

[Trend Micro Research: New Magecart Attack Delivered Through Compromised Advertising Supply Chain]

Magecart’s operations typically involve compromising their target’s supply chain in order to gain unfettered access to troves of personally identifiable information. Their targets’ online infrastructures are usually connected to or used by other service providers. Compromising these targets would in turn enable them to expand their reach and cast a wider net of potential victims. The stolen data can then be monetized in the cybercriminal underground or abused to perpetrate identity theft or fraud.

An example of the way Magecart operates can be seen in its attack on Adverline, an online advertising company. Trend Micro researchers, in collaboration with RiskIQ’s Klijnsma, found Magecart injecting skimming code in Adverline’s JavaScript library, which is used by e-commerce websites mainly in France. This enabled the hackers to steal data from all websites that embedded the compromised JavaScript library. In September 2018, de Groot saw a hacking campaign, presumably operated by the Magecart group, which affected over 7,300 websites running the Magento e-commerce platform.

Magecart’s attack on Forbes Magazine shows that the group doesn’t limit its attacks to e-commerce websites. In early May, Trend Micro researchers saw credit-card skimming activities from a group they named Mirrorthief, whose modus resembled Magecart’s. That operation targeted 201 online campus stores in the U.S. and Canada that use a JavaScript library the attackers hacked into. Other security researchers also saw Magecart targeting organizations in the video game and chemical manufacturing industries as well as news websites.

[InfoSec Guide: Defending Against Web Injections]

Supply chain attacks rely on an organization’s lack of visibility into their attack surfaces, which, in Magecart’s case, are unsecure third-party code on their web applications. This highlights the importance of security by design: ensuring the security of the components used to run their applications or websites, especially if they store and manage sensitive data.

Security and IT teams, programmers, and developers can further strengthen their website’s security with these best practices:

  • Regularly patch and update the software or component being used by the web-facing application or website.
  • Restrict or disable outdated or unnecessary third-party plug-ins or components, especially if they are no longer issued with patches.
  • Test and vet the website’s security, availability, and integrity as regularly as necessary.
  • Proactively monitor the website or application for unusual activities that may indicate, for instance, execution of anomalous scripts and unauthorized access to data.

The following Trend Micro solutions, powered by XGen™ security, protect users and businesses by blocking the scripts and preventing access to the malicious domains: Trend Micro™ Security; Smart Protection Suites and Worry-Free™ Business Security; Trend Micro Network Defense; and Hybrid Cloud Security.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.