Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.
Threat actors infect e-commerce websites with Magecart e-skimmers to steal online shoppers’ payment card data, billing information, and personally identifiable information (PII). To counter this threat, Recorded Future’s Magecart Overwatch program monitors hundreds of thousands of e-commerce websites to identify the presence of e-skimmer infections. This report details 2 recent Magecart campaigns that targeted 3 restaurant online ordering platforms, leading to the exposure of online transactions at 311 restaurants. The intended audience is financial institutions’ fraud and cyber threat intelligence (CTI) teams and e-commerce security professionals.
Online ordering platforms for restaurants enable customers to make online food orders and allow restaurants to outsource the burden of developing an ordering system. While top-end online ordering platforms like Uber Eats and DoorDash dominate the market, there are also hundreds of smaller online ordering platforms that serve small, local restaurants — and even small-scale platforms may have hundreds of restaurants as clients. As a result, online ordering platforms have become a high-value target for threat actors conducting Magecart e-skimmer attacks because compromising a single online ordering platform typically results in the exposure of online transactions performed at a significant portion of the restaurants that use the platform.
Recently, we identified 2 separate ongoing Magecart campaigns that have injected e-skimmer scripts into the online ordering portals of restaurants using 3 separate platforms: MenuDrive, Harbortouch, and InTouchPOS. Across all 3 platforms, at least 311 restaurants have been infected with Magecart e-skimmers, a number that is likely to grow with additional analysis.
The Magecart e-skimmer infections on these restaurants’ websites often result in the exposure of customers’ payment card data and PII (their billing information and contact information). To date, we have already identified over 50,000 compromised payment card records that were exposed from these infected restaurants and posted for sale on the dark web.
Cybercriminals often seek the highest payout for the least amount of work. This has led them to target restaurants’ online ordering platforms; when even a single platform is attacked, dozens or even hundreds of restaurants can have their transactions compromised, which allows cybercriminals to steal vast amounts of customer payment card data disproportionate to the number of systems they actually hack. The COVID-19 pandemic has only exacerbated this due to an influx of online ordering as restaurants’ dine-in options were restricted.
In May 2021, we reported on breaches at 5 restaurant online ordering platforms, including Grabull, EasyOrdering, and eDiningExpress. The latter 2 platforms (as well as MenuDrive, Harbortouch, and InTouchPOS) all operate in a similar way: they offer a restaurant-specific ordering application hosted on platform-operated domains. As a result, if threat actors gain unauthorized access to a given online ordering platform’s shared libraries, they can modify server-side scripts to affect numerous merchants through a single compromise, as these merchants often rely on the same shared libraries.
This most recent attack was not Harbortouch’s first breach. In 2015, Harbortouch admitted to a data breach exposing an unspecified number of restaurants; cybersecurity blog Krebs on Security reported that at least 4,200 stores running Harbortouch software were compromised.
Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.