As Symantec notes on their website:
“If we compare the week of September 13 to 20 to the same week in August, the number of instances of form jacking attacks blocked by Symantec more than doubled, jumping from just over 41,000 to almost 88.500 – a percentage increase of 117 percent.”
Leading the surge is a particularly nasty strain of malware known as “Magecart.” Magecart campaigns are quite robust that begin by breaching the target website, then injecting malicious scripts into it that are designed to scrape card details and other customer information provided during the checkout process. This is an attack that’s alternately known as formjacking, payment card scraping, and web-based skimming.
Symantec isn’t the only company to take note of the trend. RiskIQ has been sink holing domains associated with Magecart infrastructure for much of the month and alerting companies compromised by Magecart attacks as they find them.
Kevin Beaumont, an independent security researcher, had this to say via Twitter:
“#TrackingMagecart I’ve updated the IoCs to double the number of domains, now tracking over 1000 objects – some of the domains have now been sink holed. Recommend InfoSec vendors block/flag domains.”
Magecart isn’t new. Security researchers have been tracking it since 2015, and independent researcher Willem de Groot has created a malware scanning website called MageReport, which allows business owners to check to see if their Magento-based webshop is vulnerable to this type of attack. If you think you might be, it certainly bears making use of.
At present, the one thing that’s not known is the reason behind the sudden spike. Only that it’s happening.