Feedify becomes latest victim of the Magecart malware campaign

It has been reported that push notification service Feedify is the latest victim of a cyber-criminal operation known as Magecart, the same that was recently identified as the culprit behind the Ticketmaster and British Airways breaches. According to a security researcher, one of the company’s JavaScript files was infected with malicious code that steals payment card details.


Commenting on this, Ksenia Peguero , senior research lead at Synopsys, said “This story has a couple of interesting aspects. One is that developers and companies usually trust CDNs and data that is coming from a Content Delivery Network (CDN). But once a CDN gets infected by malware, the scripts it is serving will likely be used by more than one application. Therefore, compromising a CDN provides a wider attack surface. In this case, however, it looks like the attack was quite targeted as the feedbackembad-min-1.0.js file seems to only be used by the Feedify service.

Another interesting aspect is that according to Kevin Beaumont (@GossiTheDog), the malicious code was re-added three times. At the time of this writing, it is still present in the feedbackembad-min-1.0.js file served from the CDN (https://cdn.feedify.net/getjs/feedbackembad-min-1.0.js). That shows that the vulnerability in which Magecart used to inject the code is not fixed by the CDN. It is possible that other JavaScript files served from this CDN may also be infected.

We always talk about how we need to do composition analysis and understand what open source libraries we are bringing into our commercial products. But on top of that we should conduct composition analysis and security evaluation of the third-party libraries constantly, as they may be modified by attackers if the storage location such as a CDN or even an internal server is infected by malware or compromised in another way.”