You Should be Losing Sleep Over These Two New Magecart Breaches!

We’ve now seen Magecart conduct numerous high-profile digital credit card-skimming attacks against major international companies to win unprecedented attention. Alongside British Airways, these attacks affected other brand names like Ticketmaster and Newegg.

Today, security professionals have Magecart firmly on their radar, but they must remember that Magecart is continuously evolving and new victims arise continually. At RiskIQ, we detect hundreds of Magecart incidents every day but don’t publicly document the vast majority of what we find — only significant events or changes in a group’s M.O. or capabilities.

In this blog, we’ll document two Magecart-related breaches against bedding retailers MyPillow and Amerisleep. One has been resolved but was never disclosed, and another is ongoing despite numerous attempts by us to contact the affected retailer. In both cases, the potential victims of credit card fraud, the consumers, have not been informed.

Note: In both breaches, only online payments were affected, not physical transactions.

MyPillow

MyPillow is a pillow manufacturing company the products of which sell at many different retailers. However, they also have an e-commerce platform through its online website, mypillow.com.

In October 2018, Magecart attackers breached MyPillow’s e-commerce platform with the intent to steal payment information, and it was clear that this targeted attack included some preliminary analysis of the target. On October 1st, the attackers registered mypiltow.com, a typo-squat on the primary domain of MyPillow, and setup LetsEncrypt to cover it with an SSL certificate. Based on what RiskIQ sees typically, this type of domain registration typo-squatting means that the attackers had already breached MyPillow and started setting up infrastructure in its name.

Magecart attackers then injected a script into the MyPillow web store hosted on mypiltow.com:

The script contains a copy of the “matchMedia() polyfill” JavaScript library followed by a heavily obfuscated skimmer:

This skimmer was active on the website for a short period, and the domain was identified quickly as being illicit. However, the attackers seemed to have maintained their access to MyPillow, and on the 26th of October registered a new domain for stage two of the attack: livechatinc.org. This domain is fairly more interesting as it top-level-domain (TLD)-squats on Livechat, an existing service of which MyPillow made use and which uses the ‘.com’ TLD for its official site. A live support chat service that online retailers can add to their websites, Livechat is a ubiquitous sight on e-commerce websites and platforms.

The attackers played a brilliant game the second time they placed a skimmer on the MyPillow website, adding a new script tag for LiveChat that matched a script tag usually inserted by the LiveChat scripts. The Magecart attackers went even further by proxying the standard script returned from the real LiveChat service and appended the skimmer code below it:

The last time we observed this skimmer active on the MyPillow website was November 19th. Since then, we have not observed newly registered domains for attacks on MyPillow.

AmeriSleep

Amerisleep is a mattress company with physical stores across the US and an online sales platform on amerisleep.com.

The first occurrences of compromise on the Amerisleep websites started back in April 2017. Over the rest of the year, the Magecart actors managed to skim cards during transactions. It all started with injected scripts hosted on magescripts.pw:

The called out script contained an obfuscated skimmer:

This compromise held its ground for quite a long time. Here is a timetable of other observed scripts with the last one observed in October 2017:

It may seem there have been significant gaps in “coverage” of the skimmer for two reasons:

• RiskIQ crawlers do not crawl the Amerisleep website daily
• These script tags are injected through a PHP backdoor which would call back to its C2 server to obtain a URL to inject as a script tag. The domains for these C2s were rotated.

With the two factors above considered, we assume the first skimming operation ran from April 2017 until at least the first half of October 2017. After that, Amerisleep was clean of skimmers for close to a year — RiskIQ did not observe any injected skimmer tags to external domains during that time. However, in December 2018, Amerisleep fell victim to Magecart once again.

In December 2018, the attackers had used a new skimming setup with a fascinating new method. The attackers abused Github by registering a Github account called “amerisleep” and creating the Github Pages address amerisleep.github.io:

The amerisleep.github.io repository contained three files, an empty README.md file, index.html, and jquery_validator.js. The index.html file simply contained a script tag for the jquery_validator.js script:

The jquery_validator.js script contained a skimmer that was included on the Amerisleep website directly:

Here is a cleaned up it is a typical generic skimmer script:

This skimming method quickly disappeared. The actors decided to abandon the Github Pages approach and instead focus gain on injections through their own custom domains. With help from Github, RiskIQ took down the Github repository and the Github Pages account.

Starting in January, we observed a different skimmer that Magecart actors injected with some conditional checks to ensure the script would only go on payment pages. Formerly, the skimmers themselves would check to see if they were already on an active payment page.

These actors decided to move this check so that their skimmers did not inject on every page and only payment pages:

While the skimmer domain, cmytuok.top, has been taken offline, the injection is still live on the website as of this publishing. Attempts to inform Amerisleep through their support desk and directly via email has gone unanswered.

Conclusion

With the increased efficiency of credit-card skimming groups, the time it takes for a large number of consumers to have their data stolen, seemingly out of nowhere, is decreasing quickly. Magecart has capitalized on the fact that the security controls of small companies who provide services to enhance the websites of global brands are far less developed than the security controls of the global brands themselves.

Businesses need to focus on visibility into internet-facing attack surfaces and increase scrutiny of third-party services that form an integral part of modern web applications. The reputation of organizations that run payment forms online and the overall confidence of online shoppers is at stake.

Magecart is a whole new breed of threat

You’ve lately heard a ton of chatter from security vendors around Magecart — what it is, how it operates, and how you can defend against it. The problem is that most of these vendors lack Magecart expertise because they have no way of seeing it in the wild themselves. They’re copying the research of others, and some even add to the confusion by calling Magecart something completely different like “form jacking.”

Cut through the noise. Because of RiskIQ’s internet-scale visibility and ability to view a business’s internet-facing attack surface as Magecart sees them, our researchers and technology first exposed, profiled, and analyzed Magecart. We now continue to detect it as it evolves.

In the months and years to come, it is likely that new variants of these sorts of web skimming attacks will emerge, either by the current, or new Magecart groups. While payment data is currently the focus, the move to skimming login credentials and other sensitive information has already been seen, which widens the scope of potential Magecart victims far beyond just e-commerce. Learn more about Magecart here.