SOC Incident Toolkit
Back to Campaigns
Pay Attention to Magecart While Shopping

Pay Attention to Magecart While Shopping

Magecartja.magecartMagentoMalwareTrojan:JS/Magecartweb-skimming

Magecart, inspired by ecommerce platform Magento, is a type of cyberattack that targets online businesses with the goal of stealing sensitive information, including payment card data. These attacks are a form of web skimming and derive from the Magecart hacker group that began in 2015 targeting several well-known global brands.

Indicators of Compromise

Domains (444)

secure.jobscur.comwebdirectoryuk.comjson.digebuy.comlgnsyjcm9801.opentelemistry.netlogin.webdirectoryuk.comweb.rossnnam.comoffice.fielnnam.comfaxing-mon.bestukmedia.storees-megadom.comdownload.sabaloo.comorigin.cdn77.kziserverxmlhttprequest2.openxo.mikeplein.comapi.adobe.com.kzmaps.doaglas.comapi.win640.comjson.ama-prime-client.com3houzz.com+424 more

Hashes (396)

b034972a9540b3b00161310f5bf03fc98509e80899c80d30bf0f7a933721fc3e4e6c191325b37da546e72f4a7334d820995d744bf7bb1a03605adb3ad30ce9cace99b4c0d75811ce70610d39b1007f99560e6dea887a451e08916a4f8cf33678bd8d4c93234b01a155128e3fabb61ae1cc81b5f192651f9418625e5281b84cccb817e94e6294b36c949b00fcd4046770b87f10e43df04716db7e3ec08648ebdf090ca36e3d9baa8ffd350fb9d8ad7c2591c321a402b8e8f2e083dc83c941e1c9bb022549dbb54c9b29aea16efa8e3ae663428e6f2bde4919910382e02738661583813d212904742390c5008a38f3a52e1ebd93db75f0fb6ce6172565cc0f27f0f86f32f470fa7a9c8de9f0949e81a4350ab3225a4d5a9a17b1c34bcbf6f27525856917bc3ce8db9b1b7e5336ebf640282bf3b2493976bce8667a90ff6cb5acd0ec4c56af059dd7e81265ce033d71a4cfb42549af473d70c5a8d50bc55e741f413b6e94e5513b161299d99f4be1dffbb171b7c4040ff83de7f13c36d02117c91ec93cb6aff56b53bff5d12a89fcce335ad11f4e568e6fe23ae766b1876544e7506163782ccb2e06348d3c9467d0513be930cdbb1ff2e85502bd81bfe8547c95f735a120aa7547d42867f7bb5e8b91c405+376 more

IPv4 (115)

95.179.170.76185.62.190.89193.149.187.170172.86.75.7594.158.247.725.182.37.118176.107.176.237185.20.186.7595.179.201.171185.62.189.21095.179.180.224185.225.17.202193.149.185.229139.28.37.63185.61.137.141139.28.39.16595.179.186.16745.9.239.50178.23.190.7388.119.175.124+95 more

CVEs (16)

CVE-2021-34527CVE-2023-0215CVE-2023-0286CVE-2022-35689CVE-2023-0217CVE-2022-35698CVE-2022-4450CVE-2021-4034CVE-2023-0401CVE-2023-0216CVE-2022-27925CVE-2022-4203CVE-2022-37042CVE-2022-4304CVE-2020-3992CVE-2022-30190

APT Groups

MageCart

FIN6

Notes

<div><span style="font-size: 14px;"><b>Conclusion:</b></span></div><div><span style="color: var(--q-dark);">Magecart attacks are a growing threat to online enterprises. Akamai Client-side Protection &amp; Compliance offers a robust defense against these, along with web skimming and form jacking. It grants businesses a deep insight into the behavior of scripts on web pages, highlighting their actions and inter-relationships. By integrating this tool, companies can proactively detect malicious activities, promoting secure coding practices and enhancing customer trust. Regular collaboration with Akamai and integrating its findings into security strategies ensures an updated defense against evolving threats.</span><br></div><div><br></div>

Mitigation

<div><b style=""><font>Magecart Attack Mitigation</font></b></div><div><font><b>What Can Merchants Do to Prevent Magecart Attacks?</b></font></div><div><span style="font-size: 14px;">To reduce the risk of Magecart and other types of client-side attacks, take the following steps:</span></div><div><ol><li><span style="font-size: 14px;">Identify third-party JavaScript – prepare an inventory of all third-party JavaScript code on your website.</span></li><li><span style="font-size: 14px;">Ask third-party vendors to audit their code – to ensure it is their original code and does not contain any malicious instructions or malware.</span></li><li><span style="font-size: 14px;">Switch from third-party to first-party services – whenever possible, prefer to run software on your own servers and not use third-party services. This can prove to be a challenge, as most storefronts today are heavily reliant on third-party vendors.</span></li><li><span style="font-size: 14px;">Implement HTTP Content-Security-Policy headers – provides an additional layer of protection from cross-site scripting (XSS), clickjacking, and other code injection attacks.</span></li></ol></div><div><br></div>