By Oleg Kolesnikov and Harshvardhan Parashar, Securonix Threat Research Team
Updated November 6, 2018
Figure 1: Magecart modernizr-2.6.2.min.js Obfuscated Formgrabbing Payload from British Airways Attacks
Magecart, the malicious threat actor likely behind the breach, has impacted a number of other victims as part of the massive digital card skimming campaign, including the Ticketmaster and Newegg breaches from earlier this year [2, 3] that leveraged the software supply-chain attack modalities. Most recently, the Magecart malicious threat actor compromised the Cancer Research UK online store, Kitronik, and other British businesses , as well as A.P.C. .
The Securonix Threat Research Team has been actively investigating and closely monitoring these high-profile malicious attacks to help our customers prevent, detect, and mitigate/respond to the attacks.
Here is a summary of some of the key details about the British Airways Breach/Magecart attacks:
Personal and financial data theft of around 380,000 customers who made bookings and changes on ba.com or British Airways’ app between 22:58 BST August 21, 2018 and 21:45 BST September 5, 2018  Updated October 29, 2018: According the British Airways update published last week, in addition to the previously impacted 380,000 customers, hackers may have stolen personal data of 185,000 payment card holders not previously notified. The compromised PII likely included name, billing address, email address, and card payment information including card number, expiration date, and (for 77,000 of the 185,000 card holders) CVV. The potentially impacted customers were those making reward bookings between April 21 and July 28, 2018, and used a payment card .
Currently attributed to a malicious threat actor group known as “Magecart” which has been known for credit card and PII stealing activity since 2015 [3, 4]. Based on the information we have, there are likely other malicious threat actor groups performing malicious activity similar to Magecart.
Dynamic Covert C2 Drop Points
The Magecart malicious threat actor is known to use dynamic cover c2 drop points leveraging secure introspectable tunnels to localhost from ngrok.io for dynamic C2/formgrabbing drop points. For instance, b0b127c6.ngrok.io, f0c806aa.ngrok.io, and e7900f9c.ngrok.io are known to have been used in the past .
The malicious script injected by Magecart mainly has a PII logging functionality that captures all the data filled in the “Payment Form” and sends it to the server controlled by the attacker.
Some versions of Magecart include special tripwire code that detects the use of development tools to view the source of the scripts, and reports the IP address, browser, and timezone as well as some additional information about your system to one of the Magecart C2 addresses, for example, sslvalidator.com, rellicform.com, and others. 
Some of the malicious formgrabber/C2 domains observed :
Magecart Formgrabbing Supply Chain Attacks – Behaviors
Figure 2: Modified Card-Skimming feedbackembad-min-1.0.js at Feedify
Based on the publicly available details, it appears that Inbenta was compromised by Magecart using multiple web server file upload vulnerabilities .
Another website was also seen hosting Magecart’s credit card skimmer and using “safeyouform[.]com” to receive the skimmed credit card information earlier this month .
Figure 3: Example of a PHP Object Deserialization Attack Vector Likely Leveraged by Magecart in Logs
Magecart Formgrabbing Supply Chain Attacks – Likely Attack Progression
Based on the currently available details, the common likely attack progression for the Magecart/formgrabbing supply chain attacks is as follows. The initial reconnaissance is likely performed passively using a custom tool leveraging, for example, cache search for vulnerable PHP/Magento extensions and direct scans to identify the vulnerable services, for instance:
inurl:checkout/cart/ intitle:shopping cart
The infiltration vectors used following the initial reconnaissance are likely variants of the PHP Object Injection deserialization/APPSEC-1484/1480 , APPSEC-2015, and SQL Injection/APPSEC-2007  vulnerabilities functionality targeting Magento and a range of different third-party Magento extensions (see Figure 4 for an example of what the attack might look like in the logs). In case an off-site payment provider is used, such as Google or Paypal, the malicious threat actor can often use a one-time fake payment details form to collect PII followed by a redirect to the original payment form .
In case of the British Airways attack, the modernizr library compromised as part of the PII grabbing most likely was not the initial infiltration vector used. Based on the limited details available, the most likely attack progression was that the attackers leveraged a targeted variant of a custom malicious PHP/ZEND log payload for an initial infiltration into an Akamai/CDN instance used by British Airways followed by a likely web shell/formgrabbing modernizr payloads injection for baways.com as shown above.
Magecart Formgrabbing Supply Chain Attacks – Securonix Detection – Monitoring/SOC Perspective
Figure 4: Magecart modernizr* Supply Chain Attack in Endpoint Osquery FIM Logs
One way to implement the SOC monitoring of the web server content/FIM/endpoint logs can be using the osquery FIM module, e.g., by adding the following pack to the osquery.conf:
and including the following in the fim.conf:
“query”: “SELECT * FROM file_events;”,
“[path to your www server root]/%%”
Securonix Detection – Sample Spotter Search Queries
Some sample Spotter search queries to assist with detection of the existing compromises:
Network Monitoring (Network Traffic to formgrabber Domains)
(rg_category contains “Firewall” OR rg_category contains “proxy”) AND (destinationhostname IN “sslvalidator.com”, “rellicform.com”, “jquery-cdn.top”, “safeyouform.com”,”info-stat.ws”,”webfotce.me”,”jquery-cdn.top”,”docstart.su”,”govfree.pw”,”js-abuse.link”,”cdn-js.link”,”js-abuse.su”,”abuse-js.link”,”angular.club”,”js-stat.su”,”js-save.su”,”mageonline.net”,”js-save.link”,”jscript-cdn.com”,”js-syst.su”,”js-cdn.link”,”js-start.su”,”mage-cdn.link”,”magento-cdn.top”,”mod-sj.link”,”mod-js.su”,”js-mod.su”,”js-top.link”,”js-top.su”,”mage-js.link”,”mage-js.su”,”lolfree.pw”,”js-link.su”,”sj-mod.link”,”mipss.su”,”js-magic.link”,”js-sucuri.link”,”statdd.su”,”stecker.su”,”truefree.pw”,”syst-sj.link”,”stek-js.link”,”sj-syst.link”,”statsdot.eu”,”top-sj.link”,”stat-sj.link”) OR (destinationaddress IN “18.104.22.168”, “22.214.171.124”, “126.96.36.199”, “188.8.131.52”, “184.108.40.206”, “220.127.116.11”, “18.104.22.168”, “0”)
Securonix Detection – Some Examples of Securonix Predictive Indicators
Figure 5: Magecart modernizr* Formgrabbing Supply Chain Attack Detection Using Securonix
Due to the nature of the attacks, the required detection approaches fall into two categories, client-side and server-side detection. Below is a high-level summary of some of the relevant Securonix predictive indicators to increase the chances of early detection of this, and potentially other future variants of the Magecart malicious threat actor activity on your network:
- Suspicious Process Activity – Targeted – Critical File Modification Analytic
- Suspicious Webserver Activity – Unusual PHP Error For Entity Analytic
- Suspicious Webserver Activity – Rare Last-modified Transition For a Script File Analytic
- Suspicious Proxy Activity – Ngrok – Rare Tunneling to Localhost Use For Source Analytic
- Suspicious Backend Activity – Unusual Database Change Analytic
and a number of other Securonix behavioral analytics/predictive indicators including CLO-AWS12-ERI, CLO-AWS4-BDI, CLO-AWS1-ERI, CLO-AWS1-ERI, CLO-AWS11-ERI, WEB-TOM6-ERI, WEB-APA3-ERI, WEB-TOM6-ERI et al.
Figure 5 shows a practical example of detection of the Magecart attacks using Securonix.
It is important to keep in mind that there are many other attack vectors, log sources, and data sources that need to be considered depending on the potential web server attack, third-party surface, or cloud infrastructure used by your organization. (e.g. Microsoft Azure, AWS, CDN, CMS, etc.)
Figure 6: Magecart Detection Using Securonix – Osquery/FIM Content Changes
Mitigation and Prevention – Securonix Recommendations
Here are some of the Securonix recommendations to help customers prevent and/or mitigate the attack:
- Review the third-party components used by your company’s websites and add protection from third-party js library component formjacking injection by leveraging subresource integrity (SRI) and content security policy (CSP) tags such as crossorigin, integrity, require-sri-for, etc.: Note: See https://scotthelme.co.uk/subresourceintegrity/ and https://scotthelme.co.uk/content-security-policy-an-introduction/)
- Perform a review of the cloud storage sites (e.g. Amazon S3 buckets) used to deliver content for your company’s web sites for unusual changes related to potential formjacking modules. Also, consider an external review of the web components used by your organization for possible formjacking modules using PublicWWW. 
- Consider using in-house script mirroring instead of loading the script directly from the third-party so that any malicious modification of the script at the third-party doesn’t affect the code hosted on the website .
- Patch operating systems, software firmware on your infrastructure to reduce chances of infiltration.
- Scan the content of your website(s) using the free Magento Malware Scanner (see https://github.com/gwillem/magento-malware-scanner) by running, for example: wget https://mwscan.s3.amazonaws.com/mwscan.txt grep -Erlf mwscan.txt [/path/to/magento]
October 29, 2018:
- Added information under Impact
- Added section Dynamic Covert C2 Drop Points
- Added Figure 4
- Added section Magecart Formgrabbing Supply Chain Attacks – Likely Attack Progression
- Updated indicators under Securonix Detection – Some Examples of Securonix Predictive Indicators
November 6, 2018:
- Removed Figure 2
- Updated indicators under Securonix Detection – Sample Spotter Search Queries
- Added detail under Magecart Formgrabbing Supply Chain Attacks – Securonix Detection – Monitoring/SOC Perspective
- Added new resource
References British Airways. “Customer data theft”. September 13, 2018. https://www.britishairways.com/en-gb/information/incident/data-theft/latest-information. Last accessed: 10-18-2018.
 Ticket Master Inc. “INFORMATION ABOUT DATA SECURITY INCIDENT BY THIRD-PARTY SUPPLIER”. 26 June 2018. https://security.ticketmaster.co.uk/. Last accessed: 10-18-2018.
 Yonathan Klijnsma and Jordan Herman. “Inside and Beyond Ticketmaster: The Many Breaches of Magecart”. July 9, 2018. https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/. Last accessed: 10-18-2018.
 Darren Spruell. “Compromised E-commerce Sites Lead to “Magecart”. October 6, 2016. https://www.riskiq.com/blog/labs/magecart-keylogger-injection/. Last accessed: 10-18-2018.
 RISKIQ. October 6, 2016. https://safe.riskiq.com/rs/455-NHF-420/images/magecart_attributes.csv?_ga=2.232291227.547645914.1537472750-1099223366.1531410416. Last accessed: 10-18-2018.
 Yonathan Klijnsma. “Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims”. September 11, 2018. https://www.riskiq.com/blog/labs/magecart-british-airways-breach/. Last accessed: 10-18-2018.
 Placebo. September 19, 2018. https://twitter.com/Placebo52510486/status/1042440652636794880. Last accessed: 10-18-2018.
 W3C. “Subresource Integrity”. June 23, 2018. https://www.w3.org/TR/SRI/. Last accessed: 10-18-2018.
 Rich Bowen and Ken Coar. “ApacheCookbook: Logging Arbitrary Response Header Fields”. November 2003. https://www.oreilly.com/library/view/apache-cookbook/0596001916/ch03s18.html. Last accessed: 10-18-2018.
 Zack Whittaker. “Inbenta, blamed for Ticketmaster breach, admits it was hacked”. June 28, 2018. https://www.zdnet.com/article/inbenta-blamed-for-ticketmaster-breach-says-other-sites-not-affected/. Last accessed: 10-18-2018.
 Gwillem’s lab. “MageCart: now with tripwire”. October 4, 2018. https://gwillem.gitlab.io/2018/10/04/magecart-tripwire/. Last accessed: 10-18-2018.
 J.Cook and N. Bernal. October 8, 2018. Russian hackers targeted Cancer Research UK and other British businesses. https://www.telegraph.co.uk/technology/2018/10/07/british-airways-hackers-targeted-cancer-research-uk-british/. Last accessed: 10-08-2018.
 Meltxor. French Designer Clothing Line “A.P.C” compromised by MageCart Credit Card Theft Group. https://broadanalysis.com/2018/10/16/french-designer-clothing-line-a-p-c-compromised-by-magecart-credit-card-theft-group/. Last accessed: 10-08-2018.
 British Airways. Update on British Airways Cyber Attack. October 26, 2018. https://www.britishairways.com/travel/Flightops/public/en_us?p_faqid=7140. Last accessed: 10-28-2018.
 Gwillem’s lab. Multiple 0days used by Magecart. October 23, 2018. https://gwillem.gitlab.io/2018/10/23/magecart-extension-0days/. Last accessed: 10-28-2018.
 Max Chadwick. Using CVE-2016-4010’s POP Chain In Magento 1. September 10, 2017. https://maxchadwick.xyz/blog/using-cve-2016-4010-gadget-chain-in-magento-1. Last accessed: 10-28-2018.
 Magento Security Update. October 11, 2016. https://magento.com/security/patches/supee-8788. Last accessed: 10-28-2018.
 Magento Security Update. June 27, 2018. https://magento.com/security/patches/supee-10752. Last accessed: 10-28-2018.
 Krebs on Security. Who’s In Your Online Shopping Cart?. November 5, 2018. https://krebsonsecurity.com/2018/11/whos-in-your-online-shopping-cart/#more-45523. Last accessed: 11-05-2018.