Custom phone case online retailer compromised by Magecart theft group

UPDATE: On October 23rd 2018 BroadAnalysis was contacted by the compromised site informing the website was cleaned of the malware.

ASSOCIATED DOMAINS:

skinit.com – COMPROMISED SITE
cloud-privacy.com – GET /lib/v3/jMask.js – MAGECART SNIFFER JAVASCRIPT
www.userlandit.com – POST /checkout/onepage/saveOrder/jNFmumMlOn5uuMCV – MAGECART EXFIL SITE

www.verifiedaccessrule.com – ADDITIONAL EXFIL SITE FOUND ON EARLIER RUN

IMAGES AND DETAILS:

Shown above: Network traffic associated with compromised site and the Magecart credit card theft group

A script associated with the Magecart credit card theft group was found on the online custom phone case retailer.  The script found within the compromised site’s index page and shopping cart is used to load externally hosted JavaScript from cloud-privacy.com/lib/v3/jMask.js which performs the credit card data theft.

Shown above: Injected script found on skinit’s site index page and again on the shopping cart checkout page which loads a JavaScript from cloud-privacy.com/lib/v3/jMask.js

The externally located script performs Magecart’s main data theft function and is obfuscated, with a larger portion of it being hex encoded.

Shown above: Obfuscated script “jMask.js” found on domain cloud-privacy.com/lib/v3/

Shown above: Credit card information being posted to www.userlandit.com/checkout/onepage/saveOrder/jNFmumMlOn5uuMCV over HTTPS referred by skinit shopping cart page hosted at www.skinit.com/checkout/onepage/

Shown above: Credit card information being posted to www.userlandit.com/checkout/onepage/saveOrder/jNFmumMlOn5uuMCV over HTTPS

MALICIOUS FILES ASSOCIATED WITH MAGECART:

jMask.js – Obfuscated JavaScript used to skim credit card data
SHA-256: 366e92b5a2f30fd23244df9d023e9bcb314d97617244c813ffbb1704e09d45c6
VirusTotal Link