Category Archives: Magecart

MyPillow and Amerisleep are the latest victims of Magecart gangs

Security experts at riskIQ revealed today that another two organizations were victims of Magecart crime gang, the bedding retailers MyPillow and Amerisleep.

Security experts at RiskIQ announced that the two bedding retailers MyPillow and Amerisleep were victims of the Magecart cybercrime gang.

The Magecart umbrella includes at least 11 different hacking crews that has been active at least since 2015. The gangs use to implant skimming script into compromised online stores in order to steal payment card data on, but they are quite different from each other. 

The list of victims of Magecart groups is long and includes several major platforms such as British AirwaysNeweggTicketmaster, and Feedify​​

Now RiskIQ published a report that discloses two new credit-card breaches associated with Magecart threat actors. Hackers stole payment card data from online bedding retailers MyPillow and Amerisleep by implanting a digital skimming code on both websites. One of the incidents has never been disclosed, the other was solved.

“In this blog, we’ll document two Magecart-related breaches against bedding retailers MyPillow and Amerisleep.” reads the advisory published by RiskIQ. “One has been resolved but was never disclosed and another is ongoing despite numerous attempts by us to contact the affected retailer. In both cases, the potential victims of credit card fraud, the consumers, have not been informed.”

Magecart skimmer

MyPillow website was compromised in October 2018, in this case, crooks inserted a skimming code on the site that was hosted on a look-alike domain (mypiltow[.]com), a typo-squat on the legitimate domain of MyPillow, and using a certificate issued by LetsEncrypt.

The skimming script remained on the website from October 1st to November 19th.

The second company hit by the Magecart gang is Amerisleep, it was targeted by same crews multiple times in 2017. The latest attack dates back December 2018, when Magecart compromised the website injecting skimmers contained on a Github account.

The latest attack against Amerisleep was discovered in January, experts noticed that the skimming scripts were injected by the attackers only on payment pages.

“In December 2018, the attackers had used a new skimming setup with a fascinating new method. The attackers abused Github by registering a Github account called “amerisleep” and creating the Github Pages address” continues the post.

“This skimming method quickly disappeared.” “Starting in January, we observed a different skimmer that Magecart actors injected with some conditional checks to ensure the script would only go on payment pages. Formerly, the skimmers themselves would check to see if they were already on an active payment page.”

Experts noticed that the skimmer domain has been taken offline, but that the injection is still live on the website as of the publishing of the report.

“Magecart has capitalized on the fact that the security controls of small companies who provide services to enhance the websites of global brands are far less developed than the security controls of the global brands themselves.” concludes the report.

“Businesses need to focus on visibility into internet-facing attack surfaces and increase scrutiny of third-party services that form an integral part of modern web applications. The reputation of organizations that run payment forms online and the overall confidence of online shoppers is at stake.”

Pierluigi Paganini

(SecurityAffairs – Magecart, hacking )

The post MyPillow and Amerisleep are the latest victims of Magecart gangs appeared first on Security Affairs.

New MageCart Attacks Target Bedding Retailers My Pillow and Amerisleep

Cybersecurity researchers today disclosed details of two newly identified Magecart attacks targeting online shoppers of bedding retailers MyPillow and Amerisleep. Magecart is an umbrella term researchers gave to at least 11 different hacking groups that are specialized in implanting malware code on e-commerce websites with an intent to steal payment card details of their customers silently.

Payment data of thousands of customers of UK and US online stores could have been compromised

Group-IB, an international company that specializes in preventing cyberattacks, has uncovered a malicious code designed to steal customers’ payment data on seven online stores in the UK and the US.

The injected code has been identified as a new JavaScript Sniffer (JS Sniffer), dubbed by Group-IB as GMO. Group-IB Threat Intelligence team first discovered the GMO JS Sniffer on the website of the international sporting goods company FILA UK, which could have led to the theft of payment details of at least 5,600 customers for the past 4 months.  

Do your payments have the sniffles?

Most recent breaches similar to this include British Airways and Ticketmaster which were first analyzed by RiskIQ research team, where cybercriminals managed to compromise personal information of thousands of travelers and concert goers with a few of lines of code. British Airways and Ticketmaster websites were infected with JS Sniffers, a type of malicious code injected into a victim’s website designed to steal a consumer’s personal data including payment card details, names, credentials etc. FILA UK website ([.]uk) became cybercriminals’ new major target on the UK market . GMO JS Sniffer has also been discovered on 6 other websites of US-based companies. This type of attack is especially dangerous given that it can be applied to almost any e-commerce site around the world. Group-IB made multiple attempts to alert FILA, which was known to be impacted by GMO. Six other websites affected by this JS Sniffer were notified upon discovery as well. Group-IB team has also reached out to local authorities in the UK and the US to conduct outreach.

Group-IB’s Threat Intelligence team first discovered GMO on the FILA UK website. The malicious code was detected in early March 2019. In the course of further research it was revealed that GMO JS Sniffer has presumably been collecting customer payment data since November 2018. According to, the number of[.]uk unique monthly visitors is estimated at around 140k per month. According to IRP, UK market research firm, a minimum conversion into purchase for fashion and clothing ecommerce is equal to 1%. Using very conservative estimates, payment and personal details of at least 5,600 customers could have been stolen by cybercriminals – everyone who has purchased items on since November 2018 has potentially had their details compromised. Typically, after customer data is stolen, it is usually resold on underground cardshops. Another scheme of cashing out involves the use of compromised cards to buy valuable goods, e.g. electronics, for onward sale.

“One-line card stealing code downloads a JavaScript Sniffer once a customer lands on a checkout page, which intercepts credit card data and sends it to local storage. After, the payment cards’ details are sent to the JS Sniffer’s gate which is located on the same server as a JS Sniffer script itself. Cybercriminals might have injected a malicious code by either exploiting a vulnerability of Magento CMS (content management system), used by, or simply by compromising the credentials of the website administrator using special spyware or cracking password with brute force methods” – comments Dmitry Volkov, CTO and Head of Threat Intelligence at Group-IB. “We dubbed this JS Sniffer family GMO because the malware uses gmo[.]li host.”

payment data 1

 Fig. 1 The screenshot shows a one-line code (line # 771) that downloads a JS Sniffer designed to steal customers’ data once a user lands on a checkout page.

payment data 2

Fig. 2 The screenshot shows part of the JS Sniffer that detects Chrome Dev Tools and Firebug & the Sniffer downloaded to user’s browser once a user lands on a checkout page

payment data 3

Fig. 3 The screenshot shows part of the JS Sniffer with functions for collecting victim’s billing and payment information and sending extracted information to cybercriminals via image request

payment data 4

Fig. 4 The screenshot shows part of the JS Sniffer that calls functions for collecting and sending victim’s payment information to cybercriminals

Later Group-IB’s specialists found other websites infected with GMO JS Sniffer. The list included six ecommerce stores with a total of around 350,000 monthly unique visitors (according to rankings): http://jungleeny[.]com (Home design store), https://forshaw[.]com/ (Pest Management Products Store), https://www.absolutenewyork[.]com/ (Cosmetics Store),https://www.cajungrocer[.]com/ (Online Grocery Store), https://www.getrxd[.]com/ (Training Equipment Store), https://www.sharbor[.]com/ (Video Editing Apparel store).

E pluribus unum?

GMO is a family of JS Sniffers that targets Magento-based online stores. GMO can detect Firebug and Google Developer Tools, which allows the sniffer to remain undetected. Group-IB’s Threat Intelligence team discovered that GMO has been active since May 2018. The domain name used for the sniffer’s codes storage and as a gate for stolen data collection was registered on May 7, 2018. The newly discovered GMO JS Sniffer is one of the 15 families of sniffers described by Group-IB in its new report that the company is prepping to release soon. Group-IB Threat Intelligence customers will be the first to receive the report. Nine out of these fifteen JS Sniffers’ families were not previously researched.

“JS Sniffers is a type of malware that remains poorly researched. Despite its simplicity, it is capable of causing massive financial and reputational damage to huge international corporations and therefore should not be underestimated. Recent data breaches at British Airways and Ticketmaster proved this point. And not only small online stores get affected, but also payment systems and banks whose clients’ suffer from payment data leaks. The umbrella term “Magecart” given to these attacks by RiskIQ analysts should be much broader than that. There are many more groups using distinct families of JS Sniffers capable of targeting online stores. Since in some cases it is difficult to determine how many people use the sniffer, Group-IB experts call them families, not groups. Every family of JS Sniffers has unique characteristics and requires a detailed analysis,”– says Dmitry Volkov.

“Group-IB Threat Intelligence team continuously analyses new types of JS Sniffers: multipurpose and specific, designed to target particular content management systems. Considering, the size of the market and the mounting threat JS Sniffers pose Group-IB decided to analyze several sniffers’ families enriching the knowledge about this malware significantly adding to the prior attempts to research JS Sniffers.”

About the author: About Group-IB

Group-IB is a leading provider of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection.

Pierluigi Paganini

(SecurityAffairs – payment data, cybercrime )

The post Payment data of thousands of customers of UK and US online stores could have been compromised appeared first on Security Affairs.

New Golang brute forcer discovered amid rise in e-commerce attacks

E-commerce websites continue to be targeted by online criminals looking to steal personal and payment information directly from unaware shoppers. Recently, attacks have been conducted via skimmer, which is a piece of code that is either directly injected into a hacked site or referenced externally. Its purpose is to watch for user input, in particular around online shopping carts, and send the perpetrators that data, such as credit card numbers and passwords, in clear text.

Compromising e-commerce sites can be achieved in more than one way. Vulnerabilities in popular Content Management Systems (CMSes) like Magento, as well as in various plugins are commonly exploited these days. But because many website owners still use weak passwords, brute force attacks where multiple logins are attempted are still a viable option.

Our investigation started following the discovery of many Magento websites that were newly infected. We pivoted on the domain name used by the skimmer and found a connection to a new piece of malware that turned out to be a brute forcer for Magento, phpMyAdmin, and cPanel. While we can’t ascertain for sure whether this is how the skimmer was injected, we believe this may be one of many campaigns currently going after e-commerce sites.

Compromised website

The malicious code was found injected directly into the site’s homepage, referencing an external piece of JavaScript. This means that the shopping site had been compromised either via a vulnerability or by brute forcing the administrator password.

The online store is running the Magento CMS and using the OneStepCheckout library to process customers’ shopping carts. As the victim enters their address and payment details, their data is exfiltrated via a POST request with the information in Base64 format to googletagmanager[.]eu. This domain has been flagged before as part of criminal activities related to the Magecart threat groups.

Using VirusTotal Graph, we found a connection between this e-commerce site and a piece of malware written in Golang, more specifically a network query from the piece of malware to the compromised website. Expanding on it, we saw that the malware was dropped by yet another binary written in Delphi. Perhaps more interestingly, this opened up another large set of domains with which the malware communicates.

Payload analysis

Delphi downloader

The first part is a downloader we detect as Trojan.WallyShack that has two layers of packing. The first layer is UPX. After unpacking it with the default UPX, we get the second layer: an underground packer using process hollowing.

The downloader is pretty simple. First, it collects some basic information about the system, and then it beacons to the C2. We can see that the domain names for the panels are hardcoded in the binary:

The main goal of this element is to download and run a payload file:

Golang payload

Here the dropped payload installs itself in the Startup folder, by first dumping a bash script in %TEMP%, which is then deployed under the Startup folder. The sample is not packed, and looking inside, we can find artifacts indicating that it was written in Golang version 1.9. We detect this file as Trojan.StealthWorker.GO.

The procedure of reversing will be similar to what we have done before with another Golang sample. Looking at the functions with prefix “main_”,  we can distinguish the functions that were part of the analyzed binary, rather than part of statically-linked libraries.

We found several functions with the name “Brut,” suggesting this piece of malware is dedicated to brute forcing.

This is the malware sample that communicated with the aforementioned compromised e-commerce site. In the following section, we will review how communication and tasks are implemented.

Bot communication and brute forcing

Upon execution, the Golang binary will connect to 5.45.69[.]149. Checking that IP address, we can indeed see a web panel:

The bot proceeds to report the infected computer is ready for a new task via a series of HTTP requests announcing itself and then receiving instructions. You can see below how the bot will attempt to brute force Magento sites leveraging the /downloader/directory point of entry:

Brute force attacks can be quite slow given the number of possible password combinations. For this reason, criminals usually leverage CMS or plugin vulnerabilities instead, as they provide a much faster return on investment. Having said that, using a botnet to perform login attempts allows threat actors to distribute the load onto a large number of workers. Given that many people are still using weak passwords for authentication, brute forcing can still be an effective method to compromise websites.

Attack timeframe and other connections

We found many different variants of that Golang sample, the majority of them first seen in VirusTotal in early February (hashes available in the IOCs section below).

Checking on some of these other samples, we noticed that there’s more than just Magento brute forcing. Indeed, some bots are instead going after WordPress sites, for example. Whenever the bot checks back with the server, it will receive a new set of domains and passwords. Here’s an example of brute forcing phpMyAdmin:


Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0

As we were investigating this campaign, we saw a tweet by Willem de Groot noting a recent increase in skimmers related to googletagmanager[.]eutied to Adminer, a database management utility. The shopping site on which we started our research was compromised only a few days ago. Without server logs and the ability to perform a forensic investigation, we can only assume it was hacked in one of many possible scenarios, including the Adminer/MySQL flaw or brute forcing the password.

Multiple weaknesses

There are many different weaknesses in this ecosystem that can be exploited. From website owners not being diligent with security updates or their passwords, to end users running infected computers turned into bots and unknowingly helping to hack web portals.

As always, it is important to keep web server software up-to-date and augment this protection by using a web application firewall to fend off new attacks. There are different methods to thwart brute force attacks, including the use of the .htaccess file to restrict which IP address is allowed to log in.

Skimmers are a real problem for online shoppers who are becoming more and more wary of entering their personal information into e-commerce websites. While victims may not know where and when theft happened, it does not bode well for online merchants when their platform has been compromised.

Malwarebytes detects the malware used in these attacks and blocks the skimmer gate.

With additional contributions from @hasherezade.

Indicators of Compromise (IOCs)

Skimmer domain


Delphi downloader


Delphi C2


Golang bruteforcer


Similar Golang bruteforcers


C2 server


The post New Golang brute forcer discovered amid rise in e-commerce attacks appeared first on Malwarebytes Labs.

Cyber Security Roundup for December 2018

The final Cyber Security Roundup of 2018 concludes reports of major data breaches, serious software vulnerabilities and evolving cyber threats, so pretty much like the previous 11 months of the year.

5.3 millions users of "make your own avatar" app Boomoji had their accounts compromised, after the company reportedly didn't secure their internet connected databases properly. "Question and Answer" website Quora also announced the compromise of 100 million of its user accounts following a hack.

A large data breach reported in Brazil is of interest, a massive 120 million Brazilian citizens personal records were compromised due to a poorly secured Amazon S3 bucket. This is not the first mass data breach caused by an insecure S3 bucket we've seen in 2018, the lesson to be learnt in the UK, is to never assume or take cloud security for granted, its essential practice to test and audit cloud services regularly.

Amongst the amazing and intriguing space exploration successes reported by NASA in December, the space agency announced its employee's personal data may had been compromised. Lets hope poor security doesn't jeopardise the great and highly expensive work NASA are undertaking.  
NASA InSight Lander arrives on Mars 

It wouldn't be normal for Facebook not to be in the headlines for poor privacy, this time Facebook announced a Photo API bug which exposed 6.8 million user images

Away from the political circus that is Brexit, the European Parliament put into a law a new Cybersecurity Act. Because of the Brexit making all the headlines, this new law may have gone under the radar, but it certainly worth keeping an eye on, even after UK leaves the EU. The EU Parliament has agreed to increase the budget for the ENISA (Network & InfoSec) agency, which will be rebranded as the "EU Agency for Cybersecurity". The Cybersecurity Act will establish an EU wide framework for cyber-security certifications for online services and customer devices to be used within the European Economic Area, and will include IoT devices and critical infrastructure technology. Knowing the EU's love of regulations, I suspect these new best practice framework and associated accreditations to be turned into regulations further down the line, which would impact any tech business operating in European Union.

The UK Parliament enacted the "The Health and Social Care (National Data Guardian) Act", which also went under the radar due to all the Brexit political noise. The act requires the appointment of a data guardian within England and Wales. The data guardian will publish guidance on the processing of health and adult social care data for use by public bodies providing health or social care services, and produce an annual report.

Chinese telecoms giant Huawei had plenty of negative media coverage throughout December, with UK government pressuring BT into not using Huawei kit within BT's new 5G network, due to a perceived threat to UK's future critical national infrastructure posed by the Chinese stated-backed tech giant.  The UK Defence Secretary Gavin Williamson said he had "very deep concerns" about Huawei being involved in new UK mobile network.
Security company Insinia cause controversy after it took over the Twitter accounts by Eamon Holmes, Louis Theroux and several others celebs. Insinia said it had managed the account takeover by analysing the way Twitter handles messages posted by phone, to inject messages onto the targeted accounts by analysing the way the social network interacted with smartphones when messages are sent. However, Insinia were accused of being unethical and breaking the UK Computer Misuse Act in some quarters.

Unsecured internet connected printers are being hacked again, this time they were used to sent print out messages of support for Swedish YouTube star PewDiePie. A hacker named TheHackerGiraffe was said to have targeted up 50,000 printers after using Shodan to search for open printer ports online, the scan was said to have found 800,000 vulnerable printers.

An Financial Conduct Authority (FCA) report warned UK banks about their over-reliance on third-party security providers. The FCA said companies "generally lacked board members with strong familiarity or specific technical cyber-expertise. External expertise may be helpful but may also, if overly relied on, undermine the effectiveness of the ‘three lines of defence’ model in identifying and managing cyber-risks in a timely way. The report also warned about supply-chain security, especially the role that firms play in other organisations’ supply chains.