Magecart threat actors used the same skimmer against two web-based vendors to attempt to steal the payment card information from users.
As discovered by security researcher Willem de Groot, the first attack took place at 15:56:42 GMT on 10 May when bad actors injected the skimmer into the bottom of a script used by cloud management system CloudCMS.
And also hacked: https://t.co/mrotpDAgoG with around 3400 sites. https://t.co/wxR98sdz8t
– Willem de Groot (@gwillem) May 12, 2019
This malicious action focused on version 1.5.23 of the script, limiting the scope of this attack. According to RiskIQ, version 1.5.23 only affects 20 percent of the sites that use CloudCMS.
Even then, RiskIQ noted that only a few hundred websites were using CloudCMS scripts at the time of detection. Those who used the relevant version of the script were still less numerous.
Unlike the CloudCMS case, RiskIQ found that hundreds of sites were using the script in question. But the problem described above has probably limited the number of times the skimmer could run in a user's browser.
RiskIQ believes that these two examples emphasize how bad actors become increasingly efficient in their ability to launch supply chain attacks. This is worrying in view of the limited visibility that many organizations have over their web-focused attack area. As the company explains in a blog post:
… (I) It takes consumers less time than ever to see their data stolen, apparently out of the blue. Ultimately it does not matter to the consumer whether this happens as a result of a traditional infringement or a web-based supply chain attack. The reputation of organizations that manage online payment forms is at stake, as well as the general trust of online shoppers.
To help defend against attacks such as those described above, RiskIQ recommends that organizations improve their visibility and invest in monitoring their entire attack surface.
News about these compromises follows just a few months after a criminal Magecart gang has successfully compromised hundreds of e-commerce websites through a malicious script that collected personal data and payment card information while customers bought goods and services online.