In addition to the Forbes magazine subscription site, Picreel, an analytics provider that records customer behavior on websites, and CloudCMS, an enterprise-grade content management system used by companies to host content, were hit by skimmer attacks. The attacks against Picreel and Cloud CMS apparently were the work of Magecart, an umbrella group that has been increasingly active over the last year in targeting e-commerce sites to syphon off customer data, according to RiskIQ, a security firm that has been tracking these incidents over the past several months and conducted an analysis of these incidents.
The result is a hard-to-detect attack that is effective at stealing data and also difficult to scrub from an infected website. That's why these schemes have increased over the last 12 to 18 months, says Yonathan Klijnsma, a threat researcher at RiskIQ.
"Skimming is lucrative and anything is a target," Klijnsma tells Information Security Media Group. "Sadly, there are many routes to get into a website. It could be a vulnerability, it could be credential reuse or it could be stolen credentials."
Skimmer Attacks on the Rise
Over the past years, Magecart has been at the center of a growing trend that has seen several major companies and their payments systems hit with these types of attacks, including ticket-selling giant Ticketmaster, U.K. airline British Airways as well as e-commerce site Newegg (see: Card-Skimming Malware Campaign Hits Dozens of Sites Daily).
One reason for the increase is the malware used in these schemes is available for purchase for $250 to $5,000 on underground forums, according to an analysis by security firm Group-IB. Additionally, skimmers are customizable. The Magecart group is known to use one called MagentoName because it is designed to take advantage of vulnerabilities in older versions of the Magento content management system - one of the more popular content management systems available and a frequent target of these attacks.
Targeting Forbes Subscription Site
On Wednesday, Troy Mursch, an independent security researcher with Bad Packets Report, reported that the Forbes subscription site - www.forbesmagazine.com - had been hit with a skimmer attack, although it's not clear if this particular incident is tied to Magecart. The site was offline for part of Wednesday, but by Thursday, it was back online.
https://t.co/DntEsjEfo6 is back online and we've confirmed the malware has been removed.— Bad Packets Report (@bad_packets) May 15, 2019
If you made a purchase on the site while it was compromised, your credit card information was likely stolen.https://t.co/u1WKrmS0k2
A Forbes spokesperson tells ISMG that the incident did not involve the main Forbes.com website, which doesn't ask readers for credit card information. The company took the infected subscription site down immediately, and no personal information was compromised, the spokesperson adds.
Mursch told ISMG that his team first noticed the attack at about 12:30 a.m. EDT on Wednesday and had notified Forbes about it, but received no answer. By 10 a.m. EDT, that site had been taken offline; it was restored about four hours later with the malware removed.
While it's not clear when the attack started, Mursch noted that the Forbes subscription site had been targeted previously on May 12.
A deobfuscated version of the malicious code, posted on Pastebin, shows that attackers were after credit card numbers, first and last names, email address, postal codes and other data.
In his analysis, Mursch found that the attackers used a WebSocket protocol, a two-way communication channels over a single TCP connection, in an attempt to exfiltrate the credit card and other information to their domain. That domain is now shut down.
While this particular attack against the Forbes subscription website bears some of the hallmarks of a Magecart operations, Klijnsma of RiskIQ does not see a connection between this incident and one of the 12 different "families" that make up Magecart.
"The skimmer in itself didn't match an exact group," Klijnsma says. "It looked more like a manual job of stitching together some functionality from a simple skimmer and tying it in with the exact payment button used on the Forbes magazine website."
Picreel & CloudCMS
The skimming attacks against Picreel and CloudCMS were first noticed on Sunday by Dutch security researcher Willem de Groot, who has tracked Magecart.
Supply chain attack of the week: @Picreel_— Willem de Groot (@gwillem) May 12, 2019
marketing software got hacked last night, their 1200+ customer sites are now leaking data to an exfil server in Panama.
Decoded malware: https://t.co/ZiuhUBP3cf pic.twitter.com/X9uDIctYa9
The attackers first sought out the supply chain of these two platforms to inject the malicious code, security researchers say. In web-based supply-chain attacks, which compromise vendors that supply code that adds website functionality, this approach gives attackers access to many more victims because the malicious code is then integrated with thousands of sites.
In its analysis, RiskIQ specifically tied these two attacks to the main Magecart group. Unlike previous operations, however, the attackers made a mistake that limited the damage in the attack against Picreel.
Representatives for Picreel and CloudCMS told ZDNet, which first reported the story, that they are aware of the attack and were investigating the cause.