Amid Rising Magecart Attacks on Online Ordering Platforms, Recent Campaigns Infect 311 Restaurants

Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

Threat actors infect e-commerce websites with Magecart e-skimmers to steal online shoppers’ payment card data, billing information, and personally identifiable information (PII). To counter this threat, Recorded Future’s Magecart Overwatch program monitors hundreds of thousands of e-commerce websites to identify the presence of e-skimmer infections. This report details 2 recent Magecart campaigns that targeted 3 restaurant online ordering platforms, leading to the exposure of online transactions at 311 restaurants. The intended audience is financial institutions’ fraud and cyber threat intelligence (CTI) teams and e-commerce security professionals.

Executive Summary

Online ordering platforms for restaurants enable customers to make online food orders and allow restaurants to outsource the burden of developing an ordering system. While top-end online ordering platforms like Uber Eats and DoorDash dominate the market, there are also hundreds of smaller online ordering platforms that serve small, local restaurants — and even small-scale platforms may have hundreds of restaurants as clients. As a result, online ordering platforms have become a high-value target for threat actors conducting Magecart e-skimmer attacks because compromising a single online ordering platform typically results in the exposure of online transactions performed at a significant portion of the restaurants that use the platform.

Recently, we identified 2 separate ongoing Magecart campaigns that have injected e-skimmer scripts into the online ordering portals of restaurants using 3 separate platforms: MenuDrive, Harbortouch, and InTouchPOS. Across all 3 platforms, at least 311 restaurants have been infected with Magecart e-skimmers, a number that is likely to grow with additional analysis.

The Magecart e-skimmer infections on these restaurants’ websites often result in the exposure of customers’ payment card data and PII (their billing information and contact information). To date, we have already identified over 50,000 compromised payment card records that were exposed from these infected restaurants and posted for sale on the dark web.

Key Findings

• The online ordering platforms MenuDrive and Harbortouch were targeted by the same Magecart campaign, resulting in e-skimmer infections on 80 restaurants using MenuDrive and 74 using Harbortouch. This campaign likely began no later than January 18, 2022, and as of this report, a portion of the restaurants remained infected; however, the malicious domain used for the campaign (authorizen[.]net) has been blocked since May 26, 2022.
• The online platform InTouchPOS was targeted by a separate, unrelated Magecart campaign, resulting in e-skimmer infections on 157 restaurants using the platform. This campaign began no later than November 12, 2021, and as of this report, a portion of the restaurants remain infected and the malicious domains (bouncepilot[.]net and pinimg[.]org) remain active.
• We have identified more than 50,000 payment card records that were skimmed from these 311 restaurants and posted for sale on the dark web. Additional compromised records from these restaurants have likely been, and will continue to be, posted for sale on the dark web.
• The tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with the campaign targeting InTouchPOS match those of another campaign targeting e-commerce websites that do not use a centralized online ordering platform. This related campaign has infected over 400 e-commerce websites since May 2020, with over 30 of the websites still infected as of June 21, 2022.

Background

Cybercriminals often seek the highest payout for the least amount of work. This has led them to target restaurants’ online ordering platforms; when even a single platform is attacked, dozens or even hundreds of restaurants can have their transactions compromised, which allows cybercriminals to steal vast amounts of customer payment card data disproportionate to the number of systems they actually hack. The COVID-19 pandemic has only exacerbated this due to an influx of online ordering as restaurants’ dine-in options were restricted.

In May 2021, we reported on breaches at 5 restaurant online ordering platforms, including Grabull, EasyOrdering, and eDiningExpress. The latter 2 platforms (as well as MenuDrive, Harbortouch, and InTouchPOS) all operate in a similar way: they offer a restaurant-specific ordering application hosted on platform-operated domains. As a result, if threat actors gain unauthorized access to a given online ordering platform’s shared libraries, they can modify server-side scripts to affect numerous merchants through a single compromise, as these merchants often rely on the same shared libraries.

This most recent attack was not Harbortouch’s first breach. In 2015, Harbortouch admitted to a data breach exposing an unspecified number of restaurants; cybersecurity blog Krebs on Security reported that at least 4,200 stores running Harbortouch software were compromised.

Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.