Some of them were infected a second time and the script persisted, despite efforts from the researchers to contact the website owners.
The script is attributed to MageCart Group 12, as per extensive analysis from RiskIQ a threat actor that is changing tactics as their tricks are being published in security reports.
More recent activity linked to this actor was documented by researchers Jacob Pimental and Max Kersten towards the end of January when they published details about two sports events ticket resellers running card skimming code.
The two researchers noticed that the skimmer is hosted on ‘toplevelstatic.com,’ which resolves to multiple IP addresses, mostly in Russia.
The two researchers found nine websites infected by this particular code and tried to contact all owners about the threat. None of them replied and the latest check showed that the malicious script was still active on all but one.
Below is a list of the compromised sites and the latest known infection status. Those that got reinfected initially received the malicious script from a domain name that has been taken down and later got it from ‘toplevelstatic.com.’
- Suplementos Gym – compromise first confirmed on January 31 and then again on February 7, loaded from a different domain; clean at the moment
- Bahimi swimwear shop – first infected in November, 2019, the skimmer has been removed after February 7, 2019
- TitansSports (sports glasses) – compromise confirmed in early January and the malicious script is no longer present
- BVC – first sign of infection seen on February 3 and nothing changed
- MyMetroGear – skimmer found on February 4 is also present at the moment of writing
- True Precision – skimmer discovered on February 4 is still running today
- Fashion Window Treatments – card data-stealing script initially seen on February 6 is still active
- Skin Trends – malicious code noticed on February 6 and removed before February 16
- Natonic (vitamins and cosmetics) – the only site where the researchers confirmed that the script is no longer running
The MageCart threat is relentless and as long as there are vulnerable websites, hackers will try to plant a payment card skimmer on it.
Admins running eCommerce platforms can avoid the threat or at least minimize the risk if they update the software when a new release becomes available.
Also, providing a communication line to receive notifications from security researchers would help them not only save customer card data from being stolen but also maintain a more secure website.