A campaign which cyber criminals have been attacking the various e-commerce websites online has been noticed by the security researchers. The hackers are trying to steal the payment card and sensitive information of the e-commerce sites which would have been given by the customers.
The campaign is known as the Magecart campaign and it was discovered by the cloud-based security solutions firm, RiskIQ. It is believed the campaign was seen back in March 2016 and it still active up to now. Some of the attacks are known to be aimed at the Magento sites and have been detailed by the security firm, Sucuri.
However, RiskIQ said that the attackers were also targeting some of the other platforms also, which included the Powerfront CMS and OpenCart. The list also includes Braintree and VeriSign, if you are going to picture the targeted payment processing services.
RiskIQ identified more than a 100 inline shops which were hacked from around the world as part of the Magecart campaign and the list also included those that belong to some well-known book publishers, some fashion companies, and some various sporting equipment manufacturers. The cyber attackers are also believed to have attacked one gift shop in the UK which specializes in cancer research.
There was a Java script code which when injected to the websites would capture the information which was entered by the users into their purchase forms. The hackers then acted like the man in the middle between the victim and the checkout page. In some more cases, the malware would add some fake form fields to the page which would be used to try and trick the potential victims into giving even more information that might be lucrative to the hackers. The data would then be exfiltrated over HTTPS to one server which is under the control of the attacker.
If the attackers loaded the keylogger from the external source instead of injecting the keylogger straight into the compromised website, attackers would be able to update their malware without any need to reinfect the site.
RiskIQ says that the campaign actually peaked back in June after the cyber attackers started using the Eastern European bulletproof hosting company so that they could store the domains which serve the malware. In some of the most recent attacks, the researchers noticed some additional obfuscated script injections.