Tech

New Magecart hack detected at Shopper Approved

Malicious code removed after two days. Impact is smaller compared to previous incidents at Ticketmaster, Feedify, or British Airways.

Written by Catalin Cimpanu, Contributor Oct. 9, 2018 at 6:00 a.m. PT

A new security breach involving the Magecart malware came to light today, this time involving a US web company named Shopper Approved that provides a "review widget" that other companies can embed on their sites and collect opinions and ratings from customers.

Security

This incident took place on September 15, according to a report from RiskIQ, the cyber-security firm who detected it.

RiskIQ says a hacker group gained access to Shopper Approved's server infrastructure and planted malicious code inside a file located at https://shopperapproved.com/seals/certificate.js.

This is one of the files that was loaded on numerous third-party sites as part of the Shopper Approved customer rating widget.

The malicious code planted inside this legitimate file contained features that collected information entered in checkout forms and sent the data to a remote server, located at info-stat.ws.

RiskIQ says this was the same server that was used in the hack of Feedify, another company that provides an embeddable widget, and which was also compromised with the Magecart malware in mid-September.

But this time around, the infection didn't last weeks, as in the Feedify case, but only two days. RiskIQ contacted Shopper Approved, who removed the code the next Monday, on September 17.

RiskIQ and Shopper Approved said that while the widget was normally loaded on thousands of sites, because the hack was detected in its early stages, the payment card skimmer code only appeared on "a small percentage of the checkout pages."

The reason why the hack was more limited in nature when compared to previous Magecart incidents was that most Shopper Approved customers didn't load the rating widget on their store checkout page, and because the actual skimmer code only triggered on checkout pages that included certain keywords in the checkout URL.

In a message on its website today, Shopper Approved says it already contacted the websites where the Magecart skimmer code was loaded.

"Fortunately, we were able to quickly detect and secure the code related to the incident," the company said.

"If you own an e-commerce company, it's best to remove the third-party code from your checkout pages whenever possible," said Yonathan Klijnsma, Head Researcher at RiskIQ.

The Shopper Approved incident also gave RiskIQ a good insight into the hackers' infrastructure. The company says attackers made a mistake when planting the Magecart skimmer code inside Shopper Approved's certificate.js file by copy-pasting a clean and non-obfuscated version of their code before replacing it with an obfuscated and non-readable version 15 minutes later. This gave researchers a clean look at the attacker's code, information they're now using to better track the group's malicious code on the Internet.

Skimmer code in cleartext as seen by RiskIQ on Shopper Approved's network
RiskIQ

Magecart is an umbrella term given to several hacker groups that operate by a similar pattern by planting payment card-stealing code on legitimate sites.

In the past year, Magecart hacks have been reported at companies like Ticketmaster, British Airways, Feedify, ABS-CBN, Newegg, but also Hats.com, TechRabbit, Title Nine, and Stein Mart, Plant Therapy, Peaceful Valley Farm Supply, PPI, and Five Below. Klijnsma has publicly stated in the past weeks that this list is incomplete and should include many more companies that have not gone public or whose hacks have gone unreported by mainstream media.