Magecart Appears to have Targeted Another Online Retailer
www.sueno.co.uk, a UK based eCommerce retailer focused on Luxury beds, furniture, and mattresses, appears to be the latest victim of the Magecart theft group.
This domain is currently hosted in Russia on the IP address 126.96.36.199.
The externally located script performs Magecart’s main function and is obfuscated, with a larger portion of it being hex encoded.
Decoding this script reveals the following:
This form looks for specific input fields and captures the data, submitting it over HTTPS via a POST request to the URL magento.name/mage/mail2.php.
Indicators of Compromise:
magento.name – POST /mage/mail2.php – Domain hosted by credit card theft group
magento.name/mage/mage.js – Domain hosted by credit card theft group