Card-stealing code that pwned British Airways, Ticketmaster pops up on more sites via hacked JS
Feedify's whack-a-mole with MageCart malware miscreants
The library code is typically embedded into retail webpages by site administrators and developers to add a means for shoppers to leave customer feedback. That code – feedbackembad-min-1.0.js – is served from Feedify's web servers, and has been repeatedly tampered with by hackers to include the MageCart malware. This malicious software seeks out credit card details entered on the compromised webpages, and phones them home to an outside server controlled by fraudsters.
Thus, if someone visits a website that includes Feedify's vandalized code, their browser will pull in the MageCart malware from Feedify's servers as well as the feedback form, and this will then snoop on and siphon off any sensitive information, such as payment card data, typed in and submitted.
Therefore, any number of netizens using one of the e-commerce and hotel websites relying on Feedify's code were potentially at risk of having their information swiped and used by fraudsters to go on spending sprees with their banking accounts. Feedify claims 4,000-plus websites use its code; a quick search showed at least a few hundred using this particular feedback library.
And that, by the way, is the same MageCart script that also, it is understood, appeared on the British Airways and Ticketmaster websites, leading to the theft of people's payment card data while booking tickets.
The malware was detected on Feedify's systems at 5pm UTC today, although has since vanished from its web servers. It was programmed to send the card data to another compromised website: info-stat[.]ws.
This is the third time, we're told, that MageCart has appeared and been scrubbed from Feedify's various machines in recent days. This suggests this is an ongoing attack that's left the biz playing whack-a-mole with hackers breaking into its networks, and staff deleting vandalized libraries.
Shut it down
The card-spying code was spotted on Tuesday...
We have to wonder if miscreants have access to Feedify's codebase via stolen credentials, an infected internal machine, or some other kind of insider access. Feedify, meanwhile, hasn't said anything about the issue. Multiple attempts by The Register to reach the India-based biz have hit brick walls: no spokesperson was available to comment on the matter. ®
Sponsored: Becoming a Pragmatic Security Leader