MageCart E-Skimmer Attacks Targeted 311 Restaurants in the USA

With the MageCart e-skimmer campaigns targeting three online ordering platforms, MenuDrive, Harbortouch, and InTouchPOS, bank card information of 50,000 customers of 311 restaurants serving in the USA was seized. Online ordering platforms for restaurants allow customers to order food online and outsource the burden for restaurants to develop an ordering system. Due to its widespread use, online ordering platforms have become a high-value target for threat actors carrying out Magecart e-skimmer attacks. Magecart malware is JavaScript code that collects credit card data and other identifying information when online shoppers enter the payment page.

The campaign started on January 18, 2022, targeting 80 restaurants using MenuDrive and 74 restaurants using the Harbortouch platform. InTouchPOS, on the other hand, was targeted by another MageCart campaign on November 12, 2021, which resulted in e-skimmer infections in 157 restaurants using the platform. It was observed that 50,000 bank card information seized in the campaign, which affected 311 restaurants in total, was put up for sale on Dark Web platforms.

Advanced digital security technologies must be used to prevent Magecart attacks. Data Breach Monitoring services are a preferable solution to protect e-commerce sites against potential breaches. Additionally, for e-commerce providers, It is recommended to ensure that the software, hardware, and tools being used are up-to-date, request third-party service providers to have their code checked, and apply HTTP Content-Security-Policy principles which provide an additional layer of protection against potential attacks. The precautions that customers using e-commerce services should take in order not to be affected by similar security breaches are as follows;

• Personal information should not be entered on unreliable/suspicious websites,
• Virtual cards created for e-commerce transactions should be used,
• Make sure that the visited page is not a fake domain with a similar name created by threat actors,

IOC findings such as IP addresses and domains known to be used by threat actors in these campaigns should be blocked from security solutions in use.