New Ongoing Magecart Campaign

22 February 2023

SingCERT is aware of a new and ongoing Magecart campaign targeting e-commerce websites. The Magecart attack involves injecting malicious code into the payment pages, which allows attackers to steal credit card and other sensitive information entered by users during the checkout process.

Possible indicators of compromise (IOCs) associated with the ongoing campaign are shown in the table below. Website administrators may wish to review their websites' source code for signs of code tampering and the presence of these IOCs (in Base64 encoding). Network administrators may also wish to configure their firewall rules to block connections to the following domains associated with the campaign.

Indicators of compromise

TYPE	INDICATOR	DESCRIPTION
DOMAIN	yachtbars[.]fun	Command and control
DOMAIN	app-stat[.]com	Command and control
DOMAIN	Magento-cdn[.]net	Command and control
DOMAIN	nebiltech[.]shop	Command and control
DOMAIN	Rithdigit[.]cyou	Command and control
DOMAIN	Antohub[.]shop	Command and control
DOMAIN	Okqtfc1[.]org	Command and control
DOMAIN	jquery-node[.]com	Command and control

Online merchants may refer to our advisory on how to protect their websites at:

https://www.csa.gov.sg/alerts-and-advisories/advisories/ad-2022-007

Consumers may refer to our advisory on how to protect themselves when shopping online at:

https://www.csa.gov.sg/alerts-and-advisories/advisories/ad-2022-014

More information is available here:

https://www.akamai.com/blog/security/magecart-attack-disguised-as-google-tag-manager

Public advisory of scammers impersonating CSA and the SPF

New Ongoing Magecart Campaign

Reach us