MageCart Attacks on Local Government Services
I. Targeted Industries
- Local Government
- Higher Education
III. Background Information
Click2Gov is a web-based application used by local governments to allow residents to pay for their city services online. Click2Gov was previously afflicted by a vulnerability, MageCart in 2018 that caused major data breaches in several towns. Similar breaches have happened in the past year. In another recent instance, MageCart was found, for the first time, to be hidden within a site’s favicon.
In addition to credit card information being sent to the server, personal identification information was also extracted such as names and addresses that were entered by the victims. Two separate extraction servers were identified with one server being used for three sites while the other is used for the remaining five sites. Both servers contain identical files along with the skimmer. The only difference is a change in the hostname of the exfiltration servers. It is believed that using a separate server is a technique to make detection more difficult.
IV. MITRE ATT&CK
- T1041 – Exfiltration Over Command and Control Channel
Data exfiltration is performed over the Command and Control channel. Data is encoded into the normal communications channel using the same protocol as command and control communications.
- T1119 – Automated Collection
Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include the use of scripting to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools.
- Monitor Point-of-Sale (POS) networks
In the case of infection, the affected networks should be repopulated.
- Monitor compliance requirements and regulations
Stay on top of industry compliance requirements and regulations.
- Customer Notifications
Affected customers should be notified as soon as possible and potentially offered fraud protection.
- Incorporate Known IOCs into IDS
Incorporate the known IOCs of the attack into your intrusion detection system (IDS) to catch any suspicious behavior related to the attack.
- Patch Updates
Update consistently and patch vulnerabilities.
VI. Indicators of Compromise (IOCs)
The link below has been included to assist with the download of some identified IOC’s related to this Threat Advisory Report. Be on the lookout for these IOC’s, as well as anything that looks similar.
(1) Asif, Sudais. “Major MageCart Skimming Attack Hits 8 Local US Government Sites.” HackRead, June 27, 2020. https://www.hackread.com/magecart-skimming-attack-local-us-government-sites/.
(2) “Automated Collection.” Automated Collection, Technique T1119 – Enterprise | MITRE ATT&CK®. Accessed June 30, 2020. https://attack.mitre.org/techniques/T1119/.
(3) Chen, Joseph C. “US Local Government Services Targeted by New MageCart Credit Card Skimming Attack.” TrendLabs Security Intelligence Blog, June 26, 2020. https://blog.trendmicro.com/trendlabs-security-intelligence/us-local-government-services-targeted-by-new-magecart-credit-card-skimming-attack/.
(4) “Exfiltration Over Command and Control Channel.” Exfiltration Over Command and Control Channel, Technique T1041 – Enterprise | MITRE ATT&CK®. Accessed June 30, 2020. https://attack.mitre.org/techniques/T1041/.
(5) O’Donnell, Lindsey. “8 U.S. City Websites Targeted in MageCart Attacks.” threatpost.com, June 26, 2020. https://threatpost.com/8-city-gov-websites-magecart/156954/.
(6) Wodinsky, Shoshana. “Credit Card Skimmers Can Hide in an Icon’s Metadata.” gizmodo.com, July 1, 2020. https://gizmodo.com/credit-card-skimmers-can-hide-in-an-icons-metadata-1844181377