Security Market Segment LS
Monday, 29 April 2019 09:59

Magecart skimmers now being hosted on GitHub


Malicious attackers have used the GitHub code repository for hosting credit card skimmers which are known as Magecart, the security firm Malwarebytes says, adding that new e-commerce websites are being attacked every day.

In a blog post, researcher Jérôme Segura said in most cases, the code used for skimming — written in JavaScript and obfuscated — was hosted on servers controlled by the attackers themselves.

Most of these servers had domain names mimicking Magento, the e-commerce platform that is the most attacked.

Last year, British Airways was attacked with a variant of Magecart as was online retailer Newegg.

"However, as we sometimes see in other types of compromises, threat actors can also abuse the resources of legitimate providers, such as code repository GitHub, acquired by Microsoft last year," Segura said.

The latest skimmer found by the company was a hex-encoded piece of JavaScript uploaded to GitHub on 20 April by a user who had the moniker momo33333 – and had just opened an account with GitHub that very day.

Segura posted a number of images of the obfuscated JavaScript, noting that the attacker appeared to be fine-tuning the skimmer after testing.


The deobfuscated script shows the exfiltration domain (jquerylol[.]ru) where the stolen data will be sent. Courtesy Malwarebytes

He also posted an deobfuscated image of the script, where it was possible to see the domain to which data was being exfiltrated.

Segura said the compromised Magento sites would continue to be risk, even if the GitHub-hosted skimmer was taken down.

"Indeed, attackers can easily re-infect them in the same manner they initially injected the first one," he said.

"It is critical for e-commerce site owners to keep their CMS and its plugins up-to-date, as well as using secure authentication methods. Over the past year, we have identified thousands of sites that are hacked and posing a risk for online shoppers."

Commenting on the incident, Peter Blum, vice-president of Technology at Instart, a company that provides cloud services for application performance and security, said: "With the rapid rise of third-party JavaScript code used on websites, it's easier than ever for malicious third parties to gain access to sensitive information such as credit card numbers, address information and even login credentials.

"My advice for companies is to take a zero trust model with JavaScript on their sites, starting with a policy to block access by default to any sensitive information entered in Web forms and stored cookies.

"From there, you only allow a select set of vetted scripts (usually only your own) to access this sensitive data. And as a result, if this type of skimming code does get on your site, it simply can't access any sensitive information."


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments