Researchers at Malwarebytes reported about finding several MageCart web skimmers on the Heroku cloud platform that is owned by Salesforce.
Initially, the name MageCart was assigned to one hack group, which was the first to use web skimmers on websites to steal bank card data. However, this approach turned out to be so successful that the group soon had numerous imitators, and the name MageCart became a commonly used term, as now it indicates a class of such attacks.Addtionally, if in 2018 RiskIQ researchers identified 12 such groups, now, according to IBM, there are already about 38 of them.
This week, Malwarebytes experts announced that they at once have discovered several MageCart web skimmers on the Heroku cloud-based PaaS platform.
“The found skimmers were used in active malicious campaigns, and the hackers behind this scheme not only used Heroku to place their infrastructure and deliver skimmers to target sites, but also used a service to store stolen card information”, – said Malwarebytes representatives.
Researchers found four free Heroku accounts that hosted scripts for four third-party sellers:
- stark-gorge-44782.herokuapp[.]Com was used against correcttoes[.]Com;
- ancient-savannah-86049[.]Herokuapp[.]Com/configration.js was used against panafoto[.]Com;
- pure-peak-91770[.]Herokuapp[.]Com/intregration.js was used against alashancashmere[.]Com;
- liquid-scrubland-51318[.]Herokuapp[.]Com/configuration.js was used against amapur[.]De.
Of course, in addition to setting up Heroku accounts, deploying skimmer code and data collection systems, this scheme also required compromising the most targeted sites, but so far the researchers have not established how they were hacked (although some sites had unpatched web applications).
Read also: Experts found a connection between Carbanak and one of the MageCart groups
Attackers injected one line of code on hacked sites. The embedded JavaScript, which was hosted on Heroku, tracked the current page and detected a Base64 encoded string “Y2hlY2tvdXQ =” – this means “checkout”, that is, “place an order”.
“When the string was detected, malicious JavaScript loaded the iframe, which stole the payment card data, and passed it (in Base64 format) to the Heroku account. An iframe-based skimmer worked like an overlay that appeared on top of a real payment form“,- say researchers from Malwarebytes
Researchers found several web skimmers on Heroku at once. In all cases, the names of the scripts were assigned according to one scheme, and they all earned money during the last week. All this indicates that this is either work of one hack group, or the attackers used the same source code. It seems that the attackers launched their operations in anticipation of Cyber Monday and the upcoming holiday sales season.
Malwarebytes experts note that the use of Heroku is not the first such precedent. So, previously, experts already discovered Magecart skimmers on GitHub (April 2019) and on AWS S3 (June 2019).