A Look Inside MageCart, A Notorious Hacker Group

In the wake of the Newegg and British Airways data breach caused by a defective Magecart system, stolen information, most especially credit card details are available for sale in some dark websites. The attack against Newegg and British Airways were very focused, as hackers chose high traffic websites that contain millions of customer information. With high transactions means more information can be extracted, big data theft means bigger possibility for profit for the cybercriminal community.

“If your data was included in this breach and if you haven’t already, you’ll need to take action to protect yourself. Call your bank or card issuer, cancel the card and request a new card. No bank will ever mind being contacted for you being cautious. You’ll also want to check your card statements for suspicious activity or purchases online — in particular small amounts just in case they are testing your card before a larger transaction is placed online. It also might be worth adding extra fraud alert security on your account. And it goes without saying, make sure all your passwords are unique online,” explained Jake Moore from ESET, a Cybersecurity expert.

Magecart group operates similarly to a syndicate connected with card skimming and compromising businesses with online transactions. The group operates 24/7 with new victims on a daily basis. Like a swiss-army-knife of software backdoors and breaking open corporate systems supplied by 3rd parties, it made headlines hacking globally recognized companies like Newegg, Ticketmaster, and British Airways.

“MageCart, the notorious actors behind massive online card skimming, has been busy. And so have I: my crawlers are continuously tracking the raging battle between card thieves and merchants. It seems that the latter are on the losing end: in October, I counted the 40,000th hijacked store since 2015. And in the last 3 months alone, I counted 5,400 unique online stores that got a skimmer added to their checkout pages,” emphasized Willem de Groot, a security researcher for MageReport, an online virus scanner.

The group he said does not rest on its laurels, but instead, continue research and development in order to perpetuate more complex breaches against known brands. “MageCart operatives are getting more sophisticated in hiding their presence and ensuring future access. Once an operative gains access to a merchant’s server, it is common to litter the site with backdoors and rogue admin accounts. They use reinfection mechanisms such as database triggers and hidden periodic tasks to reinstate their payload. They use obfuscation techniques to make their presence indistinguishable from legitimate code. It is more and more common for MageCart actors to utilize unpublished security exploits (aka 0days). Researching these requires a significant investment. All in all, it takes some very keen eyes and a lot of effort to clean all traces of a breach,” de Groot further explained.

The hacker group will remain very influential in the field of hacking years to come. At the time of this writing, its members are still unknown and their location still being tracked. Companies need to step-up their cybersecurity defenses in order not to fall for MageCart’s attacks. “MageCart operations have become more professional while expanding methodologies and changing tactics. Merchants need to step up their efforts in protecting their reputation and the privacy of their customers,” concluded de Groot.