Magecart Injects Skimmer Code in Customer Rating Widget

The groups of attackers who specialize in injecting payment card skimmer code called Magecart into online shops managed to compromise a third-party customer rating plugin called Shopper Approved that’s used by thousands of websites.

The compromise happened Sept. 15 and was spotted quickly by researchers from RiskIQ, who have been tracking Magecart’s activities since last year through their network of sensors.

RiskIQ’s systems detected that suspicious code was injected into a file called certificate.js, which was hosted on shopperapproved.com. That script was part of a seal widget loaded by Shopper Approved customers on their own websites.

It turned out that the attackers made a mistake and initially injected their skimmer code in the clear, then returned 15 minutes later to inject an obfuscated version. Those 15 minutes were enough to trigger alerts.

“As soon as we detected the Magecart skimmer on Shopper Approved, we reached out to them via email, phone, and even LinkedIn to see if we could help provide them with information to remediate it,” RiskIQ said in a blog post. “On Monday, September 17th at 15:03:01 GMT, the skimmer code was removed from the site-seal script. Since then, we have been in frequent contact with Shopper Approved, which launched a full-scale internal investigation in addition to engaging a leading forensics firm to help find out exactly how this happened and who was affected.”

Luckily, there were limiting factors to the attack, and even though Shopper Approved is used by thousands of websites, only a small number of online shops were affected. That’s because the skimmer code was designed to steal information only from checkout pages that contained certain keywords.

It turns out that many shopping cart implementations disable third-party scripts on checkout pages—the pages where customers enter payment card information. Furthermore, most Shopper Approved customers didn’t include the compromised widget on checkout pages.

Even though this attack didn’t have a widespread impact, it highlights the danger of websites loading a large number of external scripts. This practice extends the attack surface beyond the website itself to the servers hosting all that third-party code.

Hacker groups that use web-based payment skimmers such as Magecart have displayed a high level of sophistication and have been responsible for data breaches at well-known brands in recent months, including Ticketmaster UK, British Airways and Newegg. Even when discovered, cleaning such infections can be challenging.

“Many websites use CDN services for caching, and we’ve noticed that often the skimmer code will be cached in the CDN and stay active there long after the skimmer is cleaned up from an affected site,” the RiskIQ researchers said. “As a site owner, be sure to purge any caching you are performing after your organization is hit with a skimmer like this.”

“Word to the wise: if you own an e-commerce company, it’s a best practice to remove the third-party code from your checkout pages whenever possible,” the researchers added.

Flash Player and Adobe Reader Missing from Adobe’s Patch Tuesday

Adobe Systems released security updates for several of its products Tuesday, as part of its monthly patching schedule, but Flash Player and Adobe Reader were not among them.

The lack of Reader and Acrobat updates is somewhat expected, because Adobe released security updates for these PDF applications Sept. 19 and again Oct. 1. However, Flash Player was last updated Sept. 11, and historically has been a constant presence in Adobe’s monthly patch releases, which are aligned with Microsoft’s and occur on the second Tuesday of each month.

Adobe released security updates this week for Adobe Digital Editions, Adobe Experience Manager, Adobe Framemaker and the Adobe Technical Communications Suite.

Framemaker and Technical Communications Suite each received fixes for a library loading vulnerability in their installers that could lead to privilege escalation. This type of flaw occurs when installers search for standalone DLL libraries in certain directories and automatically loads them during execution, creating an opportunity for attackers to replace the libraries with malicious ones.

Adobe Experience Manager received fixes for two reflected cross-site scripting vulnerabilities rated Moderate and three stored cross-site scripting vulnerabilities rated Important. These flaws could result in sensitive information disclosure.

The flaws patched in Adobe Digital Editions are the most serious ones and are rated critical. If exploited successfully, they can lead to arbitrary code execution in the context of the current user.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin