BroadAnalysis did not reveal the name of the online retailer in question, but posted a series of screenshots that showed the network traffic, index page and four different sniffer scripts used in the attacks. These included an exfil script, a loading script and a base64 string that linked the compromised site and stolen payment credentials back to the threat actor’s site.
Skimming at Sotheby’s and Others
Another security research report, meanwhile, suggested that a Magecart group has evolved its use of skimming tools to not only steal customer credit card data, but also website administrator credentials. This involves adding other keywords into the skimmer code to look for admin logins and passwords as well as the payment forms on e-commerce sites. Researchers discovered the technique in the analysis of a skimming campaign against an optical retailer’s e-commerce site.
Defending against this kind of threat starts with applying common best practices, such as limiting access and privileges for critical systems and hardening underlying web servers. Beyond that, organizations should also deploy change monitoring and detection technologies that can alert security teams of unusual activity, such as a change in their e-commerce web pages.