Is Magecart Checking Out Your Secure Online Transactions?

Is Magecart Checking Out Your Secure Online Transactions?

November 21, 2018 | Anomali Labs

With Online Holiday Sales Projected at $123B: How Secure are Your Transactions? 

There is a projected $123B in online purchases this holiday season, according to commerce site shopify.com. Millions of online transactions will occur between now and December 25th. How secure do you feel entering your credit or debit cards into the payment portals? We all get a sense of security with the HTTPS and the “secure transaction” wording in the check out carts, but does that offer 100% protection to the consumer.

Anomali Labs researchers have discovered web stores that have been compromised by an unknown threat actor, possibly Magecart, where the website has been modified to include JavaScript code that steals credit card information. The JavaScript code shows up in two forms, one that beacons out to g-analytics.com and the other to jquery-js.com. The threat actor is using a form of typosquatting to camouflage the command and control (C2) domains by using domains similar to well-known domains such as google-analytics[.]com and jquery.com. The code has been present on the sites for approximately five months and has silently been siphoning off stolen credit card details. At the time of this writing, this campaign is currently ongoing. The compromised sites are small but high-end stores offering goods at a premium price.

The Magecart threat groups have been highly active in 2018, and they have been attributed to multiple data breaches and information-theft incidents. Some of these breaches affected large and well-known companies. In late June 2018, the ticket sales company Ticketmaster stated publicly that it had been compromised by threat actors. The threat actors turned out to be Magecart, according to RiskIQ researchers. Magecart targeted a Ticketmaster subdomain (hosted by third-party supplier Inbenta) and injected it with a JavaScript module, among other actions, to conduct payment skimming activity.1 On September 6, 2018, British Airways confirmed that it had suffered a data breach in which a threat group (Magecart) stole payment information from the company’s main website and mobile application by using a modified “Modernizr JavaScript” library (version 2.6.2).2 Another company attacked by Magecart was Newegg, who had its website compromised with a skimmer, similar to the one found in the British Airways incident, and sent the stolen data to an actor-registered domain (neweggstats[.]com, later changed to 217.23.4.11); the skimmer was located on Newegg’s payment processing page.3 These campaigns offer some insight as to how Magecart operates, and it is with these tactics in mind that Anomali Labs researchers believe with medium confidence that this campaign is being conducted by a Magecart group.

Threat actors are consistently looking for ways to steal valuable information that can be sold for a profit or used illicitly to steal funds. One way an actor can accomplish this kind of malicious activity is via an SQL injection attack to gain unauthorized access to information stored in a database, however, this approach has some limitations. Foremost, it is only possible to steal the data from customers that have selected the option to store their payment information. Secondly, as per the Payment Card Industry Data Security Standard (PCI DSS), standard CVV values are not allowed to be stored. This standard makes it difficult for a threat actor to use the stolen credit card data because some merchants require the CVV to make a purchase. A way for a threat actor to get card data with an associated CVV number is by compromising the webstore and adding code to the checkout page to steal the information and send it off to the threat actor just before it is submitted to the server. For example, the threat actor can inject some HTML code to the page that loads malicious JavaScript from another server. The JavaScript waits for a particular request to occur, and once the correct event has fired, the code grabs the data that is about to be submitted to the store and sends it off to a server controlled by the threat actor. This type of compromise can be challenging to detect because it all occurs in the customer’s browser and not on computers controlled by the compromised company. Therefore, it is possible that the site stays compromised for months without detection.

Compromised websites

According to an internet-wide survey, Anomali Labs have detected at least 31 websites that have been compromised and served the malicious JavaScript as far as back as the 23rd of June, 2018. The sites were compromised to load JavaScript hosted on the domain “g-analytics[.]com”. The code injected looks very similar to legitimate Google Analytics code that is used to evade detection if a developer audits the code. Figure 1 shows the legitimate Google Analytics code on a compromised host and Figure 2 shows the injected malicious code.

Code snippet of legitimate Google Analytics on a compromised machine.

Figure 1: Code snippet of legitimate Google Analytics on a compromised machine.

Malicious code snippet impersonating Google Analytics on compromised machine.

Figure 2: Malicious code snippet impersonating Google Analytics on the compromised machine.

g-analytics.com

The domain “g-analytics[.]com” was registered at NameCheap on the 31st of May, 2018. The domain tries to impersonate the domain used by Google for serving Google Analytics (google-analytics[.]com). If a visitor navigates to the g-analytics[.]com site, he/she is redirected to the real Google Analytics site, making the domain appear more legitimate. The response header from the server is shown below:

HTTP/1.1 302 Moved Temporarily
Server: nginx/1.6.2
Date: Mon, 19 Nov 2018 10:55:59 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Location: https://analytics.google.com/

The server is used to host JavaScript, “analytics.js”, that is served to visitors of the compromised sites. The threat actor has actively been updating the script file since June 2018 with new versions. The versions of the script and the last modified timestamp given by the server are shown in Table 1 below.

VersionLast Modified Timestamp
1.0.1Sat, 23 Jun 2018 02:47:00 GMT
1.0.3Wed, 27 Jun 2018 04:25:33 GMT
1.0.4Wed, 27 Jun 2018 11:06:48 GMT
1.0.5Thu, 28 Jun 2018 17:25:25 GMT
1.0.6Thu, 28 Jun 2018 15:11:47 GMT
1.0.7Thu, 28 Jun 2018 16:03:46 GMT
1.0.8Tue, 02 Oct 2018 13:59:59 GMT
1.0.9Mon, 02 Jul 2018 06:51:07 GMT
1.0.10Thu, 05 Jul 2018 05:29:44 GMT
1.0.11Wed, 04 Jul 2018 15:41:58 GMT
1.0.12Thu, 05 Jul 2018 07:43:21 GMT
1.0.13Sat, 07 Jul 2018 12:27:40 GMT
1.0.14Sat, 07 Jul 2018 03:58:37 GMT
1.0.15Tue, 10 Jul 2018 09:44:23 GMT
1.0.16Sat, 03 Nov 2018 16:00:19 GMT
1.0.17Mon, 05 Nov 2018 11:02:11 GMT
1.0.18Tue, 06 Nov 2018 14:30:54 GMT
1.0.19Wed, 07 Nov 2018 13:02:37 GMT
1.0.20Thu, 08 Nov 2018 04:23:06 GMT
1.0.21Tue, 13 Nov 2018 14:14:21 GMT
1.0.22Tue, 13 Nov 2018 14:05:59 GMT
1.0.23Tue, 13 Nov 2018 14:04:30 GMT
1.0.24Tue, 13 Nov 2018 13:35:32 GM

Table 1: Versions of analytic.js and their last modified timestamp is given by the server.

analytics.js

“Analytics.js” is an obfuscated Javascript file that exfiltrates payment details from compromised websites with payment portals. The file pretends to be a “Google Analytics” file named “analytics.js”. Multiple different versions of this file have been observed.

Technical breakdown

The file is obfuscated by taking out all strings, and some function names and placing them inside an obfuscated string. The string is copied into a character array and subject to a number of decoding operations which dumps out a string array, as shown in Figure 3.

String array deobfuscation.

Figure 3: String array deobfuscation.

A number of helper functions are initialized and returned in an associative array to a variable named “GoogleAnalytics”. Another round of decoding on a large string is performed, which creates another string array for the obfuscated code. The file uses the popular JavaScript library “jQuery” to wait for a user to click a button that is under the element, class, or ID of the following:

  • button
  • .form-button
  • .onestepcheckout-button
  • .btn
  • #onestepcheckout-place-order
  • .onestepcheckout-place-order
  • .onestepcheckout-place-order-wrapper

The script grabs the URL and uses a regular expression test to ensure the page is either a login page or purchase related page by matching the pattern below. Figure 4 shows the check in the code.

Regular expression check.

Figure 4: Regular expression check.

If this test returns true, it uses the function “document.querySelectorAll()” in a loop to grab all the elements that are under the following selectors: input, select, textarea, checkbox.

It checks to see if there is any value input into the field. If a value is there, it grabs the “name” HTML attribute of the element. If there is no name attribute, the script will retrieve the count number of the loop that it is currently in to use as the name. This name is used to append to the end of a string in the following format:
param_string += [element_name] + ‘=‘ + [element_value] + “&”

The script will also save the value using HTML5 local storage, as shown in Figure 5.

Storing the value of all completed fields.

Figure 5: Storing the value of all completed fields.

It checks the local storage to see if it was able to obtain a field named “gaudid”. This is a unique identifier for the client that is shopping on the compromised website. If there is no ID number it will generate a unique ID for the victim, as shown in Figure 6.

Unique ID check and generation.

Figure 6: Unique ID check and generation.

The script then specifically looks for a local storage variable called “infoResult”. If found it will be prepended to the start of the exfiltrated data. The script begins to create its asynchronous HTTP POST request. It creates a regular expression with the following pattern to test for card numbers:
[0-9]{13,16}

If the test returns true, it sets a flag in the exfiltrated data. The data is then encrypted and encoded with Base64. It is placed in the post data after the field “track”, as shown in Figure 7.

Exfiltration of collected data to the C2.

Figure 7: Exfiltration of collected data to the C2.

An example of scraped data before encryption is shown in Figure 8.

Fetched fields before encryption.

Figure 8: Fetched fields before encryption.

The POST request attempts to mimic the style of legitimate Google Analytics’s URL query parameters and request path. The similar request path can be seen in Figure 9. Also shown is the legitimate Google Analytics request. Note the difference in the method used and the protocol.

Network requests showing both legitimate and fake Google Analytics requests.

Figure 9: Network requests showing both legitimate and fake Google Analytics requests.

jquery-js.com

The domain “jquery-js[.]com” was registered on NameCheap on the 2nd of January, 2017. It similar to g-analytics[.]com in the way that it is impersonating a legitimate site. Users browsing to the site are redirected to the legitimate site for jquery as can be seen below.

HTTP/1.1 302 Moved Temporarily
Server: nginx/1.6.2
Date: Tue, 20 Nov 2018 09:57:45 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Location: https://jquery.com/

The domain is used to host the JavaScript file “jquery.min.js”. According to data provided by the web server, the file was last modified on the 7th of January, 2017.

jquery-min.js

“jquery-min.js” is an obfuscated Javascript file that operates in a similar way to “analytics.js”. Skimming payment details from compromised websites with payment portals. The file pretends to be a “jQuery” file.

Technical breakdown

The file is heavily obfuscated JavaScript that pretends to be a minified jQuery file. The script has a large comment block at the start of the file that is code from the legitimate version of jQuery. This is intended to hide the malicious code appended below it, as shown in Figure 10.

Malicious file with comment block mimicking jQuery.

Figure 10: Malicious file with comment block mimicking jQuery.

The script decodes and evaluates a large string that contains more JavaScript code. After the first round of decoding the following script is evaluated, Figure 11.

Second decoding script.

Figure 11: Second decoding script.

This script decodes and evaluates another string, which is the final malicious script, that performs skimming of shopper details. The malicious script and its deobfuscated version are shown in Figures 12 & 13.

Malicious skimming script.

Figure 12: Malicious skimming script.

Deobfuscated version of the script.

Figure 13: Deobfuscated version of the script.

The script acts much in the same way as “analytics.js”. It will check that the user is on a payment page and scrape all values filled into input elements in the form. The data is sent to the C2 server over asynchronous HTTP POST in plaintext.

Recommendations

If you have bought something from these sites, consider canceling your credit or bank card and request a new issued from your credit card company and carefully monitor your transactions list for potentially malicious activity. Paying via a trusted third-party application, such as Apple/Google Pay, PayPal, Visa Checkout, can reduce the likelihood of your banking and payment information being stolen with this malicious script. Making payments through a third-party portal reduces the likelihood of inputted card details being scraped from the form of the compromised site.

Indicators of Compromise

File hashes

FileSHA1SHA256MD5
analytics-1.0.1.jsd79aae3a361af9811c46a2cfdf64d59d3126de7d69fd11ffde20274f419b1126136ab001744600ef67f77c31750826077115ce33434a1c9e65d68138666f86fbe2c630ff
analytics-1.0.3.js4b348d4e99f921212aa37194020d2f4679c94755fc0fce7dfa5e5ead859be43469c2a8719f5c737df0d10dba94dfe5291fe04b4c967f7722009eae576a7af1626eb43955
analytics-1.0.4.jse4b58187282f2ae83a6f5f35f865d67163ff8bc5e54f23482b47bfc7f8dc7097b556e32644edc72996ea987dbe916eade48dccdf46e0ac454f6dfb8c6436139c076df774
analytics-1.0.5.jsb7aa002e664e2a3ed76d2fe15c87bb43b9cbfa34bd1a1f2239eae87734d5eb8ffbea3bc343aca69373c860de1e46fe9689cfd70a50321d8f0d0d9a44465995251bef98a1
analytics-1.0.6.js0cc414e41fa0094c722f80010a3d413d05a5b42fc64adf966f5ebf7600ee6593ee391f02bfd14aec12e541357461b8bb1e156775ad60c1ccb84e81e2f77b503054261920
analytics-1.0.7.js86a0562d82c05460dc62898e9888b73eee4eb05f4de6c8209ba6e643ad1b773c2c12e910005b4dad9c09f6ed76a238ce089d8efb180d903f47e3c7baa65825f65e09bca0
analytics-1.0.8.js06ee6c14eb7fe625ae543a93f4ad86e7794f23fa02f1dc790c68ace0cf1fa5cfba6a72d9b84ea60d19196bef686d47b53bf42d800a4db14c632a6dfb66bd53c2c3efbf0b
analytics-1.0.9.jsf64d79c1ed4b7a96d763d0a19a7508bbbda25a5cbe5c2e3a9fb3c605e7f4a2d80bb295bc6f1f7520a601014998ecbb4ac8d25da757a65a522efbc2d339de3c6fd89bdaa7
analytics-1.0.10.js4c0576e7592c879a0a79c1e0df174572726a0c62957b45bf311166cd5730886f1b64028f23c758d700bb2be09aea57c293f843982ae7c73badcffa20d7ff999a809a9e5c
analytics-1.0.11.js445f2ddab06bdf74b28585e810ae1a8ad439bc63a119c43f4bf93333959a33f6f5b731fd9040e277299e269a3d60c45d66df2112db0cb908da4723a290478160d3b855d4
analytics-1.0.12.jsd7e870968fb87b4028c508d70ea0d2dd0d074aa9dd36d5d47ae45ea94123e447a95c9cba442b1bb43f84074e23549b29413cada85f56c50b6d537fef6762ef8899ecff51
analytics-1.0.13.jsf9da3210b6d7736fe5f7268c69ca8f60fda9c59d7da0cadd9477cf94f419a81c767c5d4b889139b870e63534e95d1593592bcd0f5889b1826a45e10010e68cfe70eacdd4
analytics-1.0.14.js355cb0ad31ed0d915250681e97a8b60f245fd7e31eb0b4d0e7e0be23ae1184dc5f5fdb0db64a97f4f350d7e5efe7d5aebace015af884178d47d05be4abfa8ff81895dfcc
analytics-1.0.15.jsa6fd0f6a631c5089dfc97ce0558774cdec3c5416ba4909955cf17789e53580ad189725cf02771d0575d899eb436c3973647ff2719cb61c81cd71d33a84e33f8ee3b81fc9
analytics-1.0.16.jsd28466d9be30a068035371b2e2a6cc0a2db33b92ff0079df61707bc5184c7c299e00695e7ca0e973b708c2affa0f6a28a5b4a8664c1526a9d34b3e89ca238d6dbaacee81
analytics-1.0.17.js059f9ed9041795956a9a17ef38842c8dd9279339b2b20a983a9d9cfa017d0766139eca1e524137e60db9d431ecbee0a237d54acafe59f6f0d088e07177361c773cd807ba
analytics-1.0.18.js25ecc3fdfe0e9914217ad284b8d49a2c61420bbff65e22f893e08cada99f31be5dcce2deb6685df5ba929ce5558df2a28a8333e4787d1d1733a70e5107f414f9b1e7868d
analytics-1.0.19.js848d3b1b78d0a69f329fd86a7895f0d1c83f5a5ef88d99661dde2aaed0221d3684d6c6fa50f8b91413568e290ea71d3f8012cb28568edce319520bf9fac7151fc4f0138b
analytics-1.0.20.js051459e1f8f14beed79ad297edc79afc2dcb0fab52ecec641a9a0f157f181b2a6bc7b62c2fbafb95f97e9096130312cd9858cc2852f1ab47408c523e91ffe4aae2f1b9ea
analytics-1.0.21.jsdbc75abb41f4112a716ffef9520e3f454e3d4d5baff54f029566038581f65dcde5940fce96e6b98665071ea49b3cd803d3441d93f40ed59e2a32393a75f05766973c507d
analytics-1.0.22.jsdbc75abb41f4112a716ffef9520e3f454e3d4d5baff54f029566038581f65dcde5940fce96e6b98665071ea49b3cd803d3441d93f40ed59e2a32393a75f05766973c507d
analytics-1.0.24.jsdbc75abb41f4112a716ffef9520e3f454e3d4d5b02f1dc790c68ace0cf1fa5cfba6a72d9b84ea60d19196bef686d47b53bf42d80f40ed59e2a32393a75f05766973c507d
jquery-min.jse4f118c3f4c44129c50f2e5889447b5618b886047809510b73475f418a95a4633b4b6b71a7bafba2322d5a5756537e02fe1518e598ceaced3fa4c06ad48c8eb52352d528

URLS
jquery-js[.]com/latest/jquery.min.js

g-analytics[.]com/__utm.gif?v=1&_v=j68&a=98811130&t=pageview&_s=1&sd=24-bit&sr=2560x1440&vp=2145x371&je=0&_u=AACAAEAB~&jid=1841704724&gjid=877686936&cid=1283183910.1527732071

Domains
jquery-js[.]com
g-analytics[.]com

IP
185.82.200[.]87

__________________________________

1Yonothan Klijnsma and Jordan Herman, “Inside and Beyond Ticketmaster: The Many Breaches of Magecart,” RiskIQ, accessed November 19, 2018, published July 9, 2018, https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/.
2Yonathan Klijnsma, “Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims,” RiskIQ, accessed November 19, 2018, published September 11, 2018, https://www.riskiq.com/blog/labs/magecart-british-airways-breach/.
3Yonathan Klijnsma, “Another Victim of the Magecart Assault Emerges, Newegg,” RiskIQ, accessed November 19, 2018, published September 19, 2018, https://www.riskiq.com/blog/labs/magecart-newegg/.

Anomali Labs
About the Author

Anomali Labs

Get the latest threat intelligence news in your email.