The term “Magecart” refers to attacks on the Magento platform. Recently, another large campaign was found to target Magento sites again. Among these, Carlsberg was one of the compromised websites.
The pattern of these attacks is almost always the same. A single line of JavaScript loads content from a remote website. In other words, a 3rd party script. That code is then heavily obfuscated to delay detection even more.
In this case, the payment process was quietly changed. A fake payment method box was added to the store's page and shown to customers first. As you’d type in your credit card details, that information is sent directly to the attacker.
This attack was dubbed the “CosmicString” attack, and was reported months ago. A very detailed and recent writeup by Sansec can help you catch up.
URLScan has archived the code that was injected:
The https://artvislon[.]shop/img/ domain was used to inject the following:
From there, Malwarebytes has reported more on the code itself if you wish to see it. It has since been removed from the impacted websites.
It's interesting - and a bit frustrating - that impacted companies often aren’t called out by name in reports like these. While there’s usually good intent behind keeping their identities hidden, it makes you wonder if this silence might be part of the problem. It made us wonder at least.
If more companies were publicly named when client-side attacks like CosmicString happen, it could raise much-needed awareness about the risks of 3rd party scripts and skimming malware and prevent other brands from facing similar attacks.
By keeping these breaches more under wraps, the message sent to other companies and the public seems muted. When large, recognizable brands fall victim, it should serve as a wake-up call for other businesses to prioritize their client-side security.
The companies are often better resourced and have an experienced and dedicated security team. Companies of all sizes face issues with client-side security and do not have an eye on the problem until it goes wrong in a visible and global manner.
As we have seen with the Polyfill attack, depending on the user agent, time of day and IP a bad actor can inject a malicious script. Waiting for a security crawler to notice the attack on your behalf will only catch non-advanced, non-targeted attacks.
The reality is, without that spotlight on who is being impacted, the urgency and severity of these attacks might not be fully grasped by others in the industry.
That, in turn, might prompt a quicker adoption of better security practices and stronger defenses across the board.
While various concepts have been tried to combat these types of attacks, none have really worked. Threat feeds are reactionary, and often completely miss the mark. We just reported on this case where threat feeds missed an attack for over 2 years.
Malwarebytes detected the attack due to a few of their customers using their detection browser plugin. It successfully stopped the attack for those few specific customers which makes it a great solution for people aware of the dangers, but not those outside of that space.
As attacks keep happening, and since these client-side attacks are especially hard to spot, We built c/side to change this. The website owner installs our script to load first to let c/side monitor, secure and even optimize all other scripts on their sites.You can get started to protect your website and visitors for free.