MagentoCore

A Dutch security researcher has lifted the veil on a massive website hacking campaign that has infected 7,339 Magento stores with a script that collects payment card data from people shopping on the sites.

The script is what industry experts call a "payment card scraper" or "skimmer." Hackers breach sites and modify their source code to load the script along with its legitimate files.

The script usually loads on store checkout pages and secretly records payment card details entered in payment forms, data that it later sends to a server under the hacker's control.

MagentoCore —the most fertile payment skimmer to date

This week, on Monday, Willem de Groot, a well-known Dutch security expert, discovered a previously unreported card scrapping campaign involving a skimmer script loaded from the magentocore.net domain.

According to de Groot, this is "the most successful to date."

The researcher says he found the script —which he named MagentoCore— on 7,339 Magento stores in the past six months.

"The average recovery time is a few weeks, but at least 1450 stores have hosted the MagentoCore.net parasite during the full past 6 months," de Groot says. "New brands are hijacked at a pace of 50 to 60 stores per day."

A quick PublicWWW search reveals that the MagentoCore script can still be found on 5,172 domains today, at the time of writing.

"The victim list contains multi-million dollar, publicly traded companies, which suggests the malware operators make a handsome profit," de Groot adds. "But the real victims are eventually the customers, who have their card and identity stolen."

MagentoCore operated by one of the three MageCart groups

Yonathan Klijnsma, Threat Researcher Lead for RiskIQ, told Bleeping Computer today that the massive MagentoCore campaign de Groot reported this week is actually part of a larger card scraping campaign known as MageCart.

MageCart has been active since late 2015, and the MagentoCore malware and associated magentocore.net domain is the work of one of the three different groups that are operating using the same tactics, which RiskIQ has been tracking as MageCart.

One of the other groups tracked under the MageCart monicker is the group who infected a popular chat widget with card scraping malware earlier this year. This chat widget is what caused the data breach that TicketMaster announced in June.

De Groot says he discovered the MagentoCore campaign while scanning the Internet for Magento shops and malware infections. According to de Groot, 4.2% of all Magento stores today are infected with one or more types of malicious scripts.

Last year, de Groot started asking owners of defunct or soon-to-be-dead online stores to donate their domains so he can set up honeypots and track credit card stealing malware and other types of cyber-attacks on e-commerce sites.