Hacked Sep 12, cleaned Sep 20 Hacked Sep 27, cleaned Oct 1 Hacked Oct 19, cleaned Oct 22During August, September, and October, de Groot says he identified more than 5,400 web domains that are harbouring MageCart-like malware designed to steal credit card information from online shoppers. If one in five of those compromised sites are likely to be infected again, it is clear that MageCart will continue to skim credit card details from unsuspecting shoppers for the foreseeable future. What has become apparent is that the bad guys are beating the good guys, by doing a better job of reinfecting sites than website administrators are at detecting and cleaning up an infection. De Groot reports that MageCart infections typically persist on an ecommerce site for 12.7 days, whereas reinfection typically occurs within 10.5 days. Furthermore, MageCart attackers are taking advantage of the fact that a typical website's security team is more likely to be fully-staffed during the week, leaving a window of opportunity for exploitation to take place at weekends where infections appear to be spiking.
First, MageCart operatives are getting more sophisticated in hiding their presence and ensuring future access. Once an operative gains access to a merchant’s server, it is common to litter the site with backdoors and rogue admin accounts. Second, they use reinfection mechanisms such as database triggers and hidden periodic tasks to reinstate their payload. Third, they use obfuscation techniques to make their presence indistinguishable from legitimate code. Fourth, it is more and more common for MageCart actors to utilize unpublished security exploits (aka 0days). Researching these requires a significant investment."All in all, it takes some very keen eyes and a lot of effort to clean all traces of a breach," says de Groot. That can be true of any hack, of course, but is particularly critical when the site involved is a online store which the public is using to enter its credit card details.