Initially, the name MageCart was assigned to one hack group, which first started using web skimmers on websites to steal bank card data. But this approach turned out to be so successful that the group soon had numerous imitators, and the name MageCart became a household name, and now they designate a whole class of such attacks. And if in 2018 RiskIQ researchers identified 12 such groups, now, according to IBM data, there are already about 38 of them.
This week, Malwarebytes experts reportedthat several MageCart web skimmers discovered on the Heroku cloud-based PaaS platform, owned by Salesforce. The skimmers found were used in active malicious campaigns, and the hackers behind this scheme not only used Heroku to place their infrastructure and deliver skimmers to target sites, but also used a service to store stolen card information.
Researchers found four free Heroku accounts that hosted scripts for four third-party sellers:
- stark-gorge-44782.herokuapp (.) com was used against correcttoes (.) com;
- ancient-savannah-86049 (.) herokuapp (.) com / configration.js was used against panafoto (.) com;
- pure-peak-91770 (.) herokuapp (.) com / intregration.js was used against alashancashmere (.) com;
- liquid-scrubland-51318 (.) herokuapp (.) com / configuration.js was used against amapur.) de.
Of course, in addition to setting up Heroku accounts, deploying skimmer code and data collection systems, this scheme also required compromising the most targeted sites, but so far the researchers have not established how they were hacked (although some sites had unpatched web applications).
Researchers found several web skimmers on Heroku at once. In all cases, the names of the scripts were assigned according to one scheme, and they all earned during the last week. All this indicates that this is either the work of one hack group, or the attackers used the same source code. It seems that the attackers launched their operations in anticipation of Cyber Monday and the upcoming holiday sales season.
Malwarebytes experts note that the use of Heroku is not the first such precedent. So, previously, experts already discovered Magecart skimmers on GitHub (April 2019) and on AWS S3 (June 2019).