Cybersecurity researchers have indicated the theft of malicious software, which was observed, focused on e -commerce sites that manages Magento, masking malicious content in images in the HTML code to stay under the radar.
Magecart is a name that is provided with malicious software capable of stealing sensitive information about payment from online trading sites. Attacks are known to use a wide range of methods- both on customers and on the server- for compromise sites and deploying a credit card to ease the theft.
Usually, such malicious software works or loaded only when applying users on the box office pages to enter a credit card data, either providing a fake form, or by fixing the information introduced in real time.
Magecart term is a reference to the initial purpose of these cybercrime groups, the Magento platform, which offers design features and trading baskets for online shops. For years such companies adapted its tactics Hiding the malicious code through coding and difficulty in seemingly harmless sources, such as fake images, audio files, faps and even 404 pages of errors.
“In this case, the malicious software that affects the client goes for the same purpose – remaining hidden,” – Cayley Martin researcher – Note. “It makes it masking malicious content in watchwhich makes it easy not to notice. “
“It is usually for Tags that contain long lines, especially when linking the image file or images, encoded Base64, as well as additional attributes such as height and width. “
The only difference is that Tag, in this case acts as a bait containing content coded Base64 indicating the JavaScript code that is activated when Event Oneerror revealed. This makes the attack much more vicious, as the browser in essence trusts the features of the oneerror.
“If the image is not loaded, the Oerror function will force the browser to show the broken image icon,” Martin said. “However, in this context, the ONEROR event is passionate about performing JavaScript, not just a mistake.”
In addition, the attack offers an additional preference for the threatening actors in that The HTML element is usually considered harmless. For its part, malicious software checks whether the user is on the order page and waits for uninhabited users to click on the “Submit” button to Siphon sensitive information entered by the external server.
The scenario is designed for dynamic malicious insertion with three fields, a map number, a suitability date and a CVV, for the purpose of its expressing on a friendly () com.
‘The attacker performs two impressive goals with this malicious scenario Tags and providing end users do not notice unusual changes when the malicious form is inserted, left unnoticed as long as possible, ”Martin said.
“The purpose of the attackers aimed at such platforms such as Magento, WooCommerce, Prestashop and others must go unnoticed as long as possible, and malicious software they enter into sites is often more complex than more malicious programs that affect other sites. “
Development occurs when a site safety company talked about the incident that includes WordPress website that used Mu-melting (or mandatory plugins) catalog for implanting the back and execution of the malicious PHP code hidden.
“Unlike the usual plugins, the mandatory use plugins are automatically loaded for each page load without requiring activation or appearing on the standard plugin” – Note.
“The attackers use this directory to maintain persistence and evasion, because the files located here are made automatically and are not easily disconnected from the WordPress administrator panel.”
