MageCart, the notorious malware that has been haunting online stores by stealing payment card details from online shoppers at checkout, is reinfecting the same websites time and time again.

Dutch security consultant Willem de Groot, who has been tracking MageCart and similar threats since 2015 and has come across over 40,000 compromised stores, says in his most recent blog post that merchants are struggling to keep their checkout pages secured.

What is perhaps equally concerning is that online stores are cleaning-up their infected webpages only to have them compromised again. Indeed, in the last quarter de Groot’s reseawrch reveals that one out of five breached stores have been infected (and cleaned) multiple times. In some cases, de Groot says he has seen the same store reinfected up to 18 times by MageCart.

One of the affected online stores belongs to Kitronik, a UK-based company that sells electronic parts including the BBC micro:bit matchbbox-sized computer.

The MageCart infestation of Kitronik’s Magento-powered online store made the headlines in November, but de Groot revealed that what appeared initially to the outside world to be a single breach was actually a series of reinfections:

Hacked Sep 12, cleaned Sep 20
Hacked Sep 27, cleaned Oct 1
Hacked Oct 19, cleaned Oct 22

During August, September, and October, de Groot says he identified more than 5,400 web domains that are harbouring MageCart-like malware designed to steal credit card information from online shoppers. If one in five of those compromised sites are likely to be infected again, it is clear that MageCart will continue to skim credit card details from unsuspecting shoppers for the foreseeable future.

What has become apparent is that the bad guys are beating the good guys, by doing a better job of reinfecting sites than website administrators are at detecting and (Read more...)