MageCart Attackers Compromise Cloud Service Firm Feedify
18.9.18 securityweek Hacking

Hundreds of e-commerce Sites Impacted by MageCart Compromise of Cloud Service Provider

Payment card data from customers of hundreds of e-commerce websites may have been stolen after the MageCart threat actors managed to compromise customer engagement service Feedify.

Feedify, which claims to have over 4,000 customers, provides customers with various tools to target users based on their behavior, along with real-time analytics, reports, and push notifications.

The infection was possible because Feedify requires customers to add a JavaScript script to their websites to use the service. The script loads various resources from Feedify’s servers, including a compromised library named “feedbackembad-min-1.0.js,” which is used by hundreds of sites.

This means that all of the users who, when loading the website of a Feedify customer, also loaded the compromised feedback library, might have had their personal information stolen by the malicious MageCart code.

Tracked since 2015, MageCart has been targeting e-commerce sites with web-based card skimmers – malicious code that steals payment card and other sensitive information provided by the users. The actors have hit a large number of businesses, including Ticketmaster and British Airways.

Now, researchers have discovered that the actors managed to compromise Feedify and that they injected their malicious code into a library the Feedify script served to customers’ websites. Thus, all those who visited the impacted sites would load the malicious code in their browsers.

On Wednesday, RiskIQ researcher Yonathan Klijnsma confirmed not only that Feedify was compromised, but also that the attackers might have had access to the service’s servers for nearly a month.

Yonathan Klijnsma

@ydklijnsma
They've been affected by Magecart since Friday, August 17 18 @ 16:51:01 GMT as we recorded it.

Placebo
@Placebo52510486
Magecart on Feedify. A customer engagement tool. According to there website 4000+ website use there tooling/code. Fixed today after I notified them.@ydklijnsma @GossiTheDog

View image on TwitterView image on TwitterView image on Twitter
10:05 PM - Sep 11, 18
15
See Yonathan Klijnsma's other Tweets
Twitter Ads info and privacy

Feedify apparently removed the malicious code after a security researcher alerted them on Tuesday, but it didn’t take long for the attackers to re-infect the script, revealing that the actors still had access to the company’s servers.

As previous reporting on MageCart underlined, the attackers appear to have broad access into the compromised infrastructure and are not shy to re-inject their malicious code if it gets removed. In one instance, they even threatened the victim, claiming they would encrypt all of their resources if the malicious code is removed again.

At the end of August, security researcher Willem de Groot revealed that the attackers might have planted their credit card data-scrapping code onto over 7000 websites. The skimmers appeared to react fast to blocking attempts and were compromising tens of new sites per day, he said.

SecurityWeek contacted Feedify for a statement on the incident but a company’s spokesperson wasn’t immediately available for comment.