Magecart Sees Card Skimmers on Restaurant-Ordering Systems!

Magecart Sees Card Skimmers on Restaurant-Ordering Systems!

300 restaurants & at least 50,000 payment cards compromised by 2 separate campaigns against MenuDrive, Harbortouch & InTouchPOS services.

Magecart campaigns have been ‘skimming’ payment-card credentials of unsuspecting customers using 3 online restaurant-ordering systems, affecting about 300 restaurants that use the services & compromising 10s of 1,000s of cards so far, researchers have discovered.

e-Skimmer Scripts

2 separate ongoing Magecart campaigns have injected e-skimmer scripts into the online ordering portals of restaurants using 3 separate platforms: MenuDriveHarbortouch, & InTouchPOS, researchers from Recorded Future revealed in a blog post this week. One seems to have begun last Nov., & the other in Jan., they stated.

“Across all 3 platforms, at least 311 restaurants have been infected with Magecart e-skimmers, a number that is likely to grow with additional analysis,” researchers from Recorded Future’s Insikt Group wrote in the report.

Hacker Forums

Magecart is a general term for cyber-criminals who use card-skimming technology to steal credentials from payment cards used at point-of-sale (POS) or e-commerce systems. They typically end up selling these stolen credentials on hacker forums on the dark web.

The infections on the restaurants’ websites affected in the 2 campaigns observed by Recorded Future “often result in the exposure of customers’ payment card data & PII (their billing information & contact information),” researchers noted.

As yet, researchers have identified more than 50,000 compromised payment card records from the campaigns posted for sale on the dark web, & they expect more stolen data to be posted in the future, they explained.

Campaign Details

Researchers found that MenuDrive & Harbortouch were targeted by the same Magecart attacker, a campaign that resulted in e-skimmer infections on 80 restaurants using MenuDrive & 74 using Harbortouch.

“This campaign likely began no later than Jan. 18, 2022, & as of this report, a portion of the restaurants remained infected,” they noted in the post. However, the malicious domain used for the campaign, which researchers identified as authorizen[.]net, has been blocked since May 26, they suggested.


A separate & unrelated Magecart campaign targeted InTouchPOS even earlier, beginning no later than Nov. 12, 2021, researchers stated. In that one, 157 restaurants using the platform were infected by e-skimmers, a portion of which remain this way, & the malicious domains associated with the campaign–bouncepilot[.]net & pinimg[.]org–remain active, they outlined.

Also, the tactics & indicators of compromise associated with the campaign targeting InTouchPOS are similar to those of other cyber-criminal activity targeting 400 e-commerce websites that deal in several types of transactions since May 2020, according to Recorded Future.

More than 30 of the affected sites in the related campaign remain compromised as of June 21, researchers suggested.

‘Low-Hanging Fruit’

While centralised restaurant ordering platforms like Uber Eats & DoorDash dominate the market for such systems & are far more well-known than the ones affected by the campaigns, the 100s of smaller platforms on the internet that serve local restaurants remain a valuable target for cyber-criminals, researchers noted.

“Even small-scale platforms may have 100s of restaurants as clients,” they explained, which means targeting a smaller platform can expose scores of online transactions and payment-card info. These platforms serve as ‘low-hanging fruit’ for attackers, who tend to “seek the highest pay-out for the least amount of work,” researchers noted.

Persistent Challenges

E-commerce sites generally face persistent challenges in securing their sites, & often contain vulnerable code from 3rd-party or supply-chain partners that is easy for attackers to compromise & can have ‘knock-on’ effects, noted a security professional.

“This is another example of the web attack lifecycle–the cyclical & continuous nature of cyber-attacks–where a data breach on one site, perhaps as a result of a Magecart attack, fuels carding, credential stuffing or account take-over attacks on another site,” Kim DeCarlis, Chief Marketing Officer at cyber-security company PerimeterX, wrote in an email.