# Feedify Hacked with Magecart Information Stealing Script **[bleepingcomputer.com/news/security/feedify-hacked-with-magecart-information-stealing-script](https://www.bleepingcomputer.com/news/security/feedify-hacked-with-magecart-information-stealing-script/)** By [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) September 12, 2018 12:51 PM 0 A script used by the customer engagement service Feedify has been hacked to include the malicious MageCart script. MageCart is malicious code used by attackers to steal credit card details and other information from e-commerce sites when a user submits a form. In order to use the Feedify service, e-commerce sites need to add a Feedify JavaScript script to their site. If the Feedify script is compromised with MageCart, any visitors who go to ecommerce site that uses the Feedify script will also load the malicious code. This hack was first noticed by a security researcher named Placebo who posted about it yesterday on Twitter. When Placebo posted about it, MageCart had already been removed from the Feedify script. Magecart on Feedify. A customer engagement tool. According to there website 4000+ website [use there tooling/code. Fixed today after I notified them.@ydklijnsma](https://twitter.com/ydklijnsma?ref_src=twsrc%5Etfw) [@GossiTheDog](https://twitter.com/GossiTheDog?ref_src=twsrc%5Etfw) [pic.twitter.com/K2czXkUoHD](https://t.co/K2czXkUoHD) — Placebo (@PlaceboRulez) [September 11, 2018](https://twitter.com/PlaceboRulez/status/1039585013057118209?ref_src=twsrc%5Etfw) When researching this story, I created a Feedify account to test what scripts their customers were being instructed to add. When testing the service, customers are instructed to add the following snippet of code to their site ----- Caption When examining the https://cdn.feedify.net/getjs/feedbackembad-min-1.0.js script, though, I saw that MageCart was still embedded in the script as shown by the highlighted section below. Caption A partial deobfuscation of the script shows that any submitted information will be sent to the URL https://info-stat.ws/js/slider.js. ----- Caption [To confirm that this was indeed MageCart, I contacted Yonathan Klijnsma of RiskIQ who](https://twitter.com/ydklijnsma) further confirmed that the Feedify script was still compromised. Klijnsma told BleepingComputer that the script had been reinfected 15 minutes prior to my contacting him. FYI: Feedify is re-infected with Magecart since about an hour ago, exact time of infection is: Wed, 12 Sep 2018 14:16:02 GMT. URL: hxxps://cdn[.]feedify[.]net/getjs/feedbackembad-min-1.0.js /cc @Placebo52510486 [@GossiTheDog](https://twitter.com/GossiTheDog?ref_src=twsrc%5Etfw) [@_feedify](https://twitter.com/_Feedify?ref_src=twsrc%5Etfw) [https://t.co/4DtpP3l0Wd](https://t.co/4DtpP3l0Wd) — Yonathan Klijnsma (@ydklijnsma) [September 12, 2018](https://twitter.com/ydklijnsma/status/1039896950223429632?ref_src=twsrc%5Etfw) Currently the malicious code has been removed from the https://feedify.net/getjs/feedbackembad-min-1.0.js, but it is still present in https://cdn.feedify.net/getjs/feedbackembad-min-1.0.js. BleepingComputer has contacted Feedify for further information, but has not received a response at the time of this publication. ## MageCart used in recent British Airways hack ----- RiskIQ also discovered that a script used by British Airways was also recently compromised by the MageCart script. This allowed attackers to steal payment and other sensitive information from approximately 380,000 individuals. In the British Airways hack, the compromised script was the Modernizr JavaScript library, which airline's site was using. ## Related Articles: [Microsoft: Credit card stealers are getting much stealthier](https://www.bleepingcomputer.com/news/security/microsoft-credit-card-stealers-are-getting-much-stealthier/) [Caramel credit card stealing service is growing in popularity](https://www.bleepingcomputer.com/news/security/caramel-credit-card-stealing-service-is-growing-in-popularity/) [Hacked WordPress sites force visitors to DDoS Ukrainian targets](https://www.bleepingcomputer.com/news/security/hacked-wordpress-sites-force-visitors-to-ddos-ukrainian-targets/) [Refine your JavaScript knowledge with this training bundle deal](https://www.bleepingcomputer.com/offer/deals/refine-your-javascript-knowledge-with-this-training-bundle-deal/) [Ukraine targeted by DDoS attacks from compromised WordPress sites](https://www.bleepingcomputer.com/news/security/ukraine-targeted-by-ddos-attacks-from-compromised-wordpress-sites/) AD [Feedify](https://www.bleepingcomputer.com/tag/feedify/) [Hacked](https://www.bleepingcomputer.com/tag/hacked/) [JavaScript](https://www.bleepingcomputer.com/tag/javascript/) [MageCart](https://www.bleepingcomputer.com/tag/magecart/) ----- [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. [Previous Article](https://www.bleepingcomputer.com/news/security/cybercriminals-go-phishing-for-jaxx-wallet-users/) [Next Article](https://www.bleepingcomputer.com/news/microsoft/windows-10-build-18237-19h1-released-along-with-androids-your-phone-companion/) [Post a Comment Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ## You may also like: -----