Custom phone case online retailer compromised by Magecart theft group
www.skinit.com – COMPROMISED SITE
www.userlandit.com – POST /checkout/onepage/saveOrder/jNFmumMlOn5uuMCV – MAGECART EXFIL SITE
www.verifiedaccessrule.com – ADDITIONAL EXFIL SITE FOUND ON EARLIER RUN
IMAGES AND DETAILS:
The externally located script performs Magecart’s main data theft function and is obfuscated, with a larger portion of it being hex encoded.
Shown above: Credit card information being posted to www.userlandit.com/checkout/onepage/saveOrder/jNFmumMlOn5uuMCV over HTTPS referred by skinit shopping cart page hosted at www.skinit.com/checkout/onepage/
MALICIOUS FILES ASSOCIATED WITH MAGECART: