The infamous MageCart hits the American Cancer Society and Sixth June fashion site

Digital payment skimmer group is found targeting Cancer.org and SixthJune.com customer credit card data

MageCart payment skimmer attacks different websites: the newest victims include fashion sites and cancer organizations. Multiple security researchers revealed new MageCart payment skimmer attacks posing serious risk to their customers.^[1] It seems that the French online fashion store SixthJune and the shopping site of the American Cancer Society got hit around the same time. However, reports about the attack came to the public only a few days after the same news about a popular skincare brand First Aid Beauty appeared.^[2]

These attacks have mainly been called MageCart skimmers because the initial technique involves the Magento e-commerce platform.^[3] The malicious process focuses on infecting the site with a code that allows stealing payment card information from the person at the checkout.

The security researcher Jenkins was the first who mentioned the Sixth June hack in his Twitter post.^[4] However, almost at the same time another expert discovered a similar attack using a malicious code planted into the e-store that belongs to the American Cancer Society.

According to researchers, the malicious component got hidden via fake Google Tag Manager snippet. This tool allows owners to handle and deploy marketing tags without having to change the source code. All sites that got compromised showed variants of this fake snippet, although the hosts were different. Willem de Groot^[5] stated:

The Cancer.org skimmer loader hides itself by hiding behind the (legitimate) GoogleTagManager code. It searches for “checkout” and will then load the actual skimming code.

A rapid spike in such activities shows that e-skimmers continue to pose a danger

Unfortunately, these sites are not the first victims. However, various researchers who have already investigated MageCart scripts reported that, even after notifying founders and companies that their services got hacked, they were surprised by the lack of response. In most cases, these malicious scripts continued to run even when the researchers notified companies multiple times. The particular incident with Sixth June was spotted during the bigger investigation that uncovered more than 80 different sites showing similar behavior.

It is a bummer, but these malicious activities can be undetected and disguised as an official Magento service. When the domain is registered, it can be easily mistaken for the safe one. The whole process is as simple as buying anything online because, once someone buys an item on the site, the JavaScript code loads mogento.info on the initial checkout page from the faked page and on other pages like firecheckout or onepage.

Hackers can purchase anything under the name of the cardholder

Reports after analyzed payloads show more specific details about the information that MageCart collects and uses after the attack. The information which can be obtained that is needed to make online purchases:

• name printed on the card;
• expiration date;
• card number;
• the CVV security number on the back of the card.

Nevertheless, data like email addresses, usernames, passwords, physical addresses, and phone numbers can also get stolen from particular accounts during the attack. When the criminal obtains such information, he can log into any account and reroute the order to any other places. MageCart started to work in global promotions two years ago and later on targeted companies like OXO and Newegg.^[6]