Researchers on Monday discovered a new Magecart campaign that has impacted at least 44 e-commerce sites.
In a blog post, Jscrambler researchers said the incident underscores how risky client-side security can be if the web supply chain is left unchecked. The researchers said in what appears as a new way to acquire victims cheaply and easily, attackers took over a defunct internet domain that previously hosted a JavaScript library decommissioned in December 2014.
The researchers said companies running the JavaScript failed to remove it from their website, likely because of a lack of visibility into third-party scripts and/or poor security policies.
This attack has been underway since Dec. 20, 2021, and uses a loader script that resembles Google Analytics, a common JavaScript included in many websites. Another version aims to resemble Google Tag Manager, the researchers said, done for deception only, as the real endpoint to contact is encrypted or encoded.
The new findings illustrate the threat actor’s continued abuse of Internet Explorer flaws such as CVE-2020-1380 and CVE-2021-26411 to drop backdoors like BLUELIGHT and Dolphin, the latter of which was disclosed by Slovak cybersecurity firm ESET late last month.
Another key tool in its arsenal is RokRat, a Windows-based remote access trojan that comes with a wide range of functions that allow it to capture screenshots, log keystrokes, and even harvest Bluetooth device information.
