An attacker under the Magecart umbrella has infected an unknown number of e-commerce sites in the US, UK, and five other countries with malware for skimming credit card numbers and personally identifiable information (PII) belonging to people making purchases on these sites. But in a new wrinkle, the threat actor is also using the same sites as hosts for delivering the card-skimming malware to other target sites.

Researchers from Akamai who spotted the ongoing campaign note that this not only makes the campaign different from prior Magecart activity, but it’s also much more dangerous.

They assess that the cyberattacks have been going on for at least one month and have potentially affected tens of thousands of people already. Akamai said that in addition to the US and UK, it has spotted websites affected by the campaign in Brazil, Spain, Estonia, Australia, and Peru.

Payment Card Theft & More: A Double Compromise

Magecart is a loose collective of cybercriminal groups involved in online payment card-skimming attacks. Over the past several years, these groups have injected their namesake card skimmers into tens of thousands of sites worldwide — including sites such as TicketMaster and British Airways —and stolen millions of credit cards from them, which they have then monetized in different ways. 

Akamai counted Magecart attacks on 9,200 e-commerce sites last year, of which 2,468 remained infected as of the end of 2022.

The typical modus operandi for these groups has been to surreptitiously inject malicious code into legitimate e-commerce sites — or into third-party components such as trackers and shopping carts — that the sites use, by exploiting known vulnerabilities. When users enter credit card information and other sensitive data on the checkout page of compromised websites, the skimmers silently intercept the data and send it to a remote server. So far, attackers have primarily targeted sites running the open source Magento e-commerce platform in Magecart attacks.

The latest campaign is slightly different in that the attacker is not just injecting a Magecart card skimmer into target sites but is also hijacking many of them to distribute malicious code. 

“One of the primary advantages of utilizing legitimate website domains is the inherent trust that these domains have built over time,” according to the Akamai analysis. “Security services and domain scoring systems typically assign higher trust levels to domains with a positive track record and a history of legitimate use. As a result, malicious activities conducted under these domains have an increased chance of going undetected or being treated as benign by automated security systems.”

In addition, the attacker behind the latest operation has also been attacking sites running not just Magento but other software, such as WooCommerce, Shopify, and WordPress.

A Different Approach, Same Outcome

“One of the most notable parts of the campaign is the way the attackers set up their infrastructure to conduct the web skimming campaign,” Akamai researcher Roman Lvovsky wrote in the blog post. “Before the campaign can start in earnest, the attackers will seek vulnerable websites to act as ‘hosts’ for the malicious code that is used later on to create the web skimming attack.”

Akamai’s analysis of the campaign showed the attacker using multiple tricks to obfuscate the malicious activity. For example, instead of injecting the skimmer directly into a target website, Akamai found the attacker injecting a small JavaScript code snippet into its webpages that then fetched the malicious skimmer from a host website. 

The attacker designed the JavaScript loader to look like Google Tag Manager, Facebook Pixel tracking code, and other legitimate third-party services, so it becomes hard to spot. The operator of the ongoing Magecart-like campaign also has been using Base64 encoding to obfuscate the URLs of compromised websites hosting the skimmer. 

“The process of exfiltrating the stolen data is executed through a straightforward HTTP request, which is initiated by creating an IMG tag within the skimmer code,” Lvovsky wrote. “The stolen data is then appended to the request as query parameters, encoded as a Base64 string.”

As a sophisticated detail, Akamai also found code in the skimmer malware that ensured it did not steal the same credit card and personal information twice.

Imagine being able to quickly generate all types of content—headlines, entire posts, even translations—with the click of a button. Imagine significantly reducing your effort and time spent staring at a blank screen. 

Say hello to Jetpack AI Assistant. 

Jetpack AI Assistant is seamlessly integrated as a block within the WordPress.com editor. (If your WordPress site is hosted elsewhere, the AI Assistant is also available through the Jetpack plugin.) This powerful new tool is still in the experimental phase, but here’s just a sampling of what it can already help you do. 

5 ways you can make writing a breeze with Jetpack AI Assistant 

Create customized content

Jetpack AI Assistant utilizes a conversational system so that you can “chat” with it in natural language. Enter a prompt, such as “Write a list of Tokyo’s must-visit destinations,” and watch as the Assistant crafts an engaging piece of content. Compelling blog posts, detailed pages, structured lists, and comprehensive tables can be created in seconds.

Perfect your spelling and grammar on the fly

Ensure your content always reflects professional standards with Jetpack AI Assistant’s spelling and grammar correction features.

Adjust your tone to match your audience 

Whether you’re aiming for formal or conversational, Jetpack AI Assistant can adjust the tone of your content to your goals and audience makeup. 

Find that perfect creative title

Struggling to find a good title that will really capture your audience’s attention? It can be the hardest part of writing a post! Jetpack AI Assistant has you covered by reading the text and then creating suitable and compelling headlines.

Translate your writing with a single click

The Jetpack AI Assistant can translate your text into numerous languages, allowing you to effortlessly reach across locales and cultures. 

And that’s just the start of what Jetpack AI Assistant can do.

Can this really be free? 

Yes, it can! For a limited time, Jetpack AI Assistant is free to use for all WordPress.com customers. 

Activate the block with the Inserter or the “/” command shortcut. (If you didn’t know, here’s a fun tip: Hit the “/” button while in the post or page editor and type the name of the block you’re looking for. In this case, it would be “AI.”) 

Your rocketship to seamless content creation  

This is just the beginning! We’re working to expand Jetpack AI Assistant’s capabilities, so stay tuned for even more exciting features in the coming weeks.

Try the AI Assistant today and discover an even more streamlined creative process in WordPress.com.