Bedding Retailers Lose Sleep Over Magecart’s Digital Skimming Attacks

A combination of typosquatting, skimming, live-chat hijacking and injected scripts are among the strategies Magecart, a term covering at least seven different cybercriminal groups, used to breach two online retailers.

San Francisco-based digital-threat-management solutions provider RiskIQ’s latest research focused on breaches against bedding retailers MyPillow and Amerisleep, as part of its study of Magecart gangs — seen as the cause of at least 319,000 cyberincidents last year, including many digital credit card-skimming attacks, and the British Airways, Newegg and Ticketmaster breaches.

Magecart gangs use a script, which basically work like a card skimmer mounted on a physical card terminal. With the malicious script, hackers can lift electronic payment information in real time during checkout.

According to RiskIQ, “We detect hundreds of Magecart incidents every day but don’t publicly document the vast majority of what we find—only significant events or changes in a group’s M.O. or capabilities.”

However, in a blog, RiskIQ documented two Magecart-related breaches against the bedding retailers affecting online payments. “One has been resolved but was never disclosed and another is ongoing despite numerous attempts by us (RiskIQ) to contact the affected retailer. In both cases, the potential victims of credit card fraud, the consumers, have not been informed.”

As with all data breaches and/or events affecting payments the risk could extend to credit unions and other financial institutions that issue credit and debit cards.

The research confirmed in October 2018, Magecart attackers breached MyPillow’s e-commerce platform to steal payment information. The attackers registered “mypiltow.com,” a typo-squat on the primary domain of MyPillow, and setup LetsEncrypt to cover it with an SSL certificate. “This type of domain registration typo-squatting means that the attackers had already breached MyPillow and started setting up infrastructure in its name.”

Magecart attackers then injected a script into the MyPillow web store hosted on mypiltow.com. “The script contained a copy of the “matchMedia() polyfill” JavaScript library followed by a heavily obfuscated skimmer.”

RiskIQ noted this digital skimmer remained active for a short period. However, on Oct. 26, 2018, attackers registered a new domain for stage two of the attack, “livechatinc.org,” the RiskIQ blog said. “The attackers played a brilliant game the second time they placed a skimmer on the MyPillow website, adding a new script tag for LiveChat that matched a script tag usually inserted by the LiveChat scripts.” RiskIQ noted the last time they observed this skimmer active on the MyPillow website was November 19, 2018.

The first occurrences of Amerisleep compromised website started in April 2017. “Over the rest of the year, the Magecart actors managed to skim cards during transactions. It all started with injected scripts hosted on magescripts.pw.” Skimming operation ran until at least the first half of October 2017. “After that, Amerisleep was clean of skimmers for close to a year — RiskIQ did not observe any injected skimmer tags to external domains during that time.”

However, in December 2018, Amerisleep fell victim to Magecart once again. In December 2018 and January 2019, the attackers used new skimming methods. “The injection is still live on the website as of this publishing,” RiskIQ maintained.

RiskIQ concluded, with the increased efficiency of credit-card skimming groups, the time it takes for many consumers to have data stolen, seemingly out of nowhere, is decreasing quickly. “Magecart has capitalized on the fact that the security controls of small companies who provide services to enhance the websites of global brands are far less developed than the security controls of the global brands themselves.”

The security firm suggested businesses need to focus on visibility into internet-facing attack surfaces and increase scrutiny of third-party services. “The problem is that most of these vendors lack Magecart expertise because they have no way of seeing it in the wild themselves,” RiskIQ wrote in the blog. “They’re copying the research of others, and some even add to the confusion by calling Magecart something completely different like ‘form jacking.’”

The threat-management solutions provider held in the months and years to come, it is likely that new variants of these sorts of web skimming attacks will emerge. “While payment data is currently the focus, the move to skimming login credentials and other sensitive information has already been seen, which widens the scope of potential Magecart victims far beyond just e-commerce.”