Magecart Group Likely Behind Increase in Formjacking Attacks

A extremely specific type of attack that is used to steal credit card details and other e-commerce data, called formjacking, has seen a significant spike over the last 30 days, according to a new analysis from Symantec.

Formjacking is a term that describes the use of malicious JavaScript code to steal credit card details, as well as other information from payment forms on the checkout web pages of e-commerce sites, such as Amazon or Wal-Mart.

While not a new technique, recent formjacking campaigns have shown them to be large, sophisticated, was well as increasing dramatically since mid-August. Symantec researchers claimed to have blocked 248,000 formjacking attempts since then. More than one third of those blocks -- 36% -- occurred from September 13 to 20, according to Symantec.

When they compared the week of September 13 to the same week in August, the number of instances of formjacking had more than doubled. It was observed by Symantec that the blockage requests jumped from just over 41,000 to almost 88,500 -- a percentage increase of 117%.

(Source: iStock)

The increases in formjacking seem to be linked to Magecart, the name of a threat actor that has previously carried out this kind of online skimming. These types of schemes can be traced back to 2015, with attacks on Magneto e-commerce sites. Since then, the group has changed focus.

Willem de Groot, a security consultant, has been keeping tabs on these developments since they started and has been keeping a running tally on Twitter.

In the past two months, Magecart has been publicly linked to credit card information theft at Ticketmaster, British Airways, and Newegg as its malicious activities grow less specific in focus and broader in execution. (See British Airways Already Facing Lawsuits Following Data Breach.)

Those three widely known campaigns were dependent on third-party chat agent contractors to act as infection vectors. A chatbot from tech firm Inbenta had been used for customer support on the Ticketmaster websites that were formjacked.

A post-mortem showed that the malicious code may have been on the Ticketmaster website for almost a year. If you were an international Ticketmaster customer, you were warned by Ticketmaster that you may have been affected if you bought tickets between September 2017 and June 2018.

This wasn't just some skids at work. Altering the chatbot took some work. Executives with Inbenta have said that Magecart had exploited a number of vulnerabilities to target its front-end servers and alter the chatbot code.

There are other ways for Magecart to handle injection of malicious JavaScript than a poisoned supply chain, but few that are as efficient when all is in alignment.

The sudden growth in Symantec's blocking requests may be due to things becoming aligned.

For instance, Feedify is used by many websites to serve up push notifications to website visitors. It got hit by Magecart on September 11. While the company deleted the malware that Magecart has put into the site, it returned within 24 hours.

This caused some threat researchers to advise that companies stop using Feedify until the issue was resolved. However, for the British Airways and Newegg exploits, the initial infection vector that allowed the attackers to gain access to the websites is not known at this time.

This one isn't going away so soon.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.