Card-stealing code that pwned British Airways, Ticketmaster pops up on more sites via hacked JS

Feedify's whack-a-mole with MageCart malware miscreants

People playing whack-a-mole game

A Javascript library hosted by Feedify and used by e-commerce websites globally has been repeatedly infected this week to potentially siphon off countless victims' bank card details to crooks.

The library code is typically embedded into retail webpages by site administrators and developers to add a means for shoppers to leave customer feedback. That code – feedbackembad-min-1.0.js – is served from Feedify's web servers, and has been repeatedly tampered with by hackers to include the MageCart malware. This malicious software seeks out credit card details entered on the compromised webpages, and phones them home to an outside server controlled by fraudsters.

Thus, if someone visits a website that includes Feedify's vandalized code, their browser will pull in the MageCart malware from Feedify's servers as well as the feedback form, and this will then snoop on and siphon off any sensitive information, such as payment card data, typed in and submitted.

Therefore, any number of netizens using one of the e-commerce and hotel websites relying on Feedify's code were potentially at risk of having their information swiped and used by fraudsters to go on spending sprees with their banking accounts. Feedify claims 4,000-plus websites use its code; a quick search showed at least a few hundred using this particular feedback library.

And that, by the way, is the same MageCart script that also, it is understood, appeared on the British Airways and Ticketmaster websites, leading to the theft of people's payment card data while booking tickets.

The malware was detected on Feedify's systems at 5pm UTC today, although has since vanished from its web servers. It was programmed to send the card data to another compromised website: info-stat[.]ws.

This is the third time, we're told, that MageCart has appeared and been scrubbed from Feedify's various machines in recent days. This suggests this is an ongoing attack that's left the biz playing whack-a-mole with hackers breaking into its networks, and staff deleting vandalized libraries.

Shut it down

Essentially, this is a textbook demonstration of why sensitive pages on websites – particular payment pages – should not carry any third-party code. If the JavaScript or other elements are hosted by an external source, and that source is pwned, and there is no way to detect that, it's game over for everyone. And if the source is supplying scripts to thousands of websites, it becomes a very valuable target: hacking it will compromise many, many online stores in one fell swoop.

The card-spying code was spotted on Tuesday...

...and even though was removed, returned today. British infosec geezer Kevin Beaumont reckoned this is about the third time this month Feedify's systems have been compromised to spread the MageCart malware – and urged companies to immediately suspend any use of Feedify's JavaScript.

"Feedify's Javascript library was compromised with code mirroring MageCart, which steals credit cards," Beaumont said. "Feedify quietly fixed it, haven't notified anybody, and aren't responding to press. Feedify are embedded in thousands of e-commerce websites."

We have to wonder if miscreants have access to Feedify's codebase via stolen credentials, an infected internal machine, or some other kind of insider access. Feedify, meanwhile, hasn't said anything about the issue. Multiple attempts by The Register to reach the India-based biz have hit brick walls: no spokesperson was available to comment on the matter. ®




Biting the hand that feeds IT © 1998–2018