Using the Magecart skimmer on restaurant platforms, the hackers managed to steal the data of 50,000 credit cards.
Payment card details from customers of more than 300 restaurants have been stolen in two campaigns web-skimming targeting three online ordering platforms.
The web-skimmers, or malware Magecart, are usually JavaScript code that collects credit card data when online shoppers type it into the checkout page.
Recently, the threat detection tools of the Recorded Future identified two Magecart campaigns that inject malicious code into the online ordering portals of MenuDrive, Harbortouch and InTouchPOS.
As a result, 50,000 credit cards were stolen and have already been offered for sale in various markets in dark web.
See also: MageCart attacks target hundreds of old Magento sites
The first Magecart campaign was launched on 18 January 2022 and reached 80 restaurants that used the MenuDrive and 74 using the platform Harbortouch.
Most of these restaurants are small local establishments across the US that use the platform as a more cost-effective alternative to facilitate the online ordering process.
On both platforms, the Magecart skimmer invaded the restaurant's websites and the subdomain assigned to the online payment service platform.
The web skimmer developed for the MenuDrive used two scripts, one to extract the payment card data and another to collect the name, address and email and the cardholder's telephone number, which shall be achieved by attaching to the event "onmousedown" and "responding to multiple button clicks during the account creation and checkout process."
At Harbortouch, the skimmer used a single script to steal all personally identifiable information (PII) and credit card data.
The second Magecart skimmer campaign targeting the InTouchPOS was launched on 12 November 2021, but most of the skimmer infections on websites occurred much later, in January 2022.
See also: How many data records containing usernames and passwords were compromised in 2021?
The Magecart skimmer and the artifacts that characterize it (variable naming, structure, and encryption schemes) link it to older and ongoing campaigns, reports Recorded Future in a report shared with BleepingComputer.
In this case, the Magecart skimmer does not steal the details from the website, but instead overlaps it with a fake payment form to valid targets who are ready for the process of completing the purchase using a credit card.
According to Recorded Future, both campaigns are ongoing and the respective penetration domains are still online and operational.
The security company has notified all affected entities about the Magecart skimmer infection, but they have not yet received a response. Legal authorities and payment platforms have been notified accordingly.
In the case of MenuDrive and the Harbortouch, the removal of Magecart skimmers requires scanning of all restaurant subdomains.
The Magecart infection in InTouchPOS is easier to detect with most security scanners, as it uses a JavaScript downloader for the skimmer, which can be detected through simple code comparison.
Source: bleepingcomputer.com
