Full Report
Trustwave SpiderLabs first blogged about Magecart back in 2019; fast forward five years and it is still here going strong.
Analysis Summary
# Threat Actor: Magecart (Collective)
## Attribution & Identity
Magecart is a collective term for various, continuously active cybercriminal groups or operations focused on digital skimming attacks. It has been active since at least 2015. The name originates from its initial primary targets: the Magento e-commerce platform ("cart" referencing shopping carts).
## Activity Summary
Magecart attacks involve the injection of malicious scripts (skimmers) onto e-commerce websites to steal payment card details and personal information during the checkout process.
* **General Activity:** Efforts ramped up during the pre-holiday season. The activity surged during the pandemic due to the global shift to online shopping.
* **Recent Exploits (2024):** Attackers heavily leveraged known Magento vulnerabilities:
* **CVE-2024-20720:** A critical command injection vulnerability in Adobe Magento (exploited by April 2024) used to insert persistent backdoors.
* **CosmicSting:** Exploiting **CVE-2024-34102** (accessing sensitive files like configuration keys) and **CVE-2024-2961** (privilege escalation) to achieve full system compromise on up to 75% of Adobe Commerce and Magento platforms, leading to RCE. This attack compromised thousands of sites at a rate of 5–30 sites per hour.
* **Injection Methods:** Attackers insert skimmers directly into checkout pages or inject code into the site's global configuration (e.g., Magento footer sections) to ensure execution on every page. In 2024, exploitation of **Google Tag Manager (GTM)** containers to deploy skimming codes was heavily observed.
## Tactics, Techniques & Procedures
- Exploiting unpatched vulnerabilities in e-commerce platforms (Magento frequently targeted).
- Targeting third-party vendors with weaker security.
- Brute-forcing administrative credentials.
- Exploiting platform misconfigurations.
- **Vulnerability Exploitation:** Exploiting CVE-2024-20720 (Command Injection) and CVE-2024-34102/CVE-2024-2961 (RCE).
- Installing persistent backdoors post-compromise.
- Injecting malicious JavaScript skimmers onto checkout pages (identified by URL keywords like "checkout" or "onepage").
- Abusing legitimate mechanisms like Google Tag Manager (GTM) to embed malicious payloads.
- Injecting skimmers via the `<img>` tag's `src` attribute to load external scripts.
- Using **WebSocket** connections for real-time data exfiltration.
## Targeting
- **Sectors:** E-commerce websites and online stores.
- **Geography:** Global (implied by the extensive use of Magento).
- **Victims:** E-commerce websites running Adobe Commerce/Magento platforms. Cisco was mentioned as a victim whose e-commerce site was compromised, believed to have used the CosmicSting vulnerability.
## Tools & Infrastructure
- **Malware families used:** Digital skimming scripts (skimmers).
- **Infrastructure:** Data exfiltration relies on delivering stolen data via URL parameters embedded in the `src` attribute of an image tag or via WebSocket connections to attacker-controlled C2 destinations.
## Implications
Magecart remains a persistent and highly effective threat due to the widespread adoption of e-commerce platforms, especially Magento. The recent exploitation of critical vulnerabilities like those in the CosmicSting campaign demonstrates the actor's capability to rapidly compromise a significant portion of the global e-commerce footprint, achieving remote code execution and persistent access. The heavy reliance on GTM and third-party services makes detection significantly more challenging for defenders.
## Mitigations
- Implement a defense-in-depth strategy.
- Fully patch all web server infrastructure, operating systems, software, and extensions.
- Disable non-essential extensions to reduce the attack surface.
- Ensure critical sections (checkout) run only minimum necessary components.
- Implement a **Content Security Policy (CSP)**, especially on cart/checkout pages, to restrict script execution sources.
- Utilize **Subresource Integrity (SRI)** to verify the cryptographic hash of externally loaded resources.
- Monitor file changes on the website.
- Monitor external connections made by scripts, comparing them against allowlists/blocklists to detect unauthorized exfiltration attempts.
- Where feasible, minimize reliance on remote sources by using local copies of scripts.