Magecart- The Card-Skimming Group and Its Many Faces

Magecart, known for their e-commerce payment card-skimming that has recently attacked British Airways, Ticketmaster, Newegg, and other prominent companies, comprises of six major active cybercriminal groups, according to a new joint research report. All of these groups use the same skimmer toolset, but they rely on different strategies and in some cases have evolved the malware.

RiskIQ and Flashpoint jointly released a report about on half-dozen groups, and also many more groups within the Magecart ecosystem.

The original Magecart dates back to 2014-15 but no longer exists in its original avatar. This actor secretly embedded e-commerce pages with a JavaScript-based tool that would copy data entered into online forms and then send it to a drop server. This is how they introduced the Magecart skimmer that forms the foundation for all their future activity. The group’s early schemes involved tricking job seekers.

Group 1, literally hacked over 2,500 online stores eventually evolved into what we call Group 2. The method remained the same —the attack strategy is to victimize a wide range of targets and use the stolen card information.

Group 3 came into existence in 2016 and they compromised around 800 online stores using skimming activities. According to reports, these hackers work differently in the way it controls whether or not it’s running on a checkout page: it targets the page that has the forms containing payment information, and not the location through the URL. Most of the forms it targets come from payment vendors based in Latin America — thus exposing the preferred Geo location.

Group 4 debuted in 2017, is a particularly crafty group with a victim count of over 3,000 stores. Researchers say “We strongly believe this group originates from another crime business involved in malware distribution and hijacking of banking sessions using web injects,” states the report, authored by RiskIQ researchers Yonathan Klijnsma and Jordan Herman, and Flashpoint director of research Vitali Kremez. “The skimmer and method of operation have a strong similarity to how banking malware groups operate.”

The researchers note that Group 4 attempts to “blend in with normal web traffic” through a number of tactics, including registering domains that impersonate their own targets as well as ad and analytics providers. Additionally, this group’s skimmer is a more complex, expansive tool that acts as a malicious overlay superseding legitimate payment forms. Group 4 also employs fingerprinting in order to identify individuals who may be trying to analyze the skimmer.

Group 5 is known to infringe third party online service as a way to later focus on their e-commerce customers by means of supply chain attacks. This procedure enables the hackers to get information from heaps of organizations by infecting a small number of third-party companies whose services interact and integrate with these myriad targets.

This is the group responsible for a breach at Ticketmaster UK, according to the researchers. It was found how a malicious software on a customer support, product hosted by Inbenta Technologies, and was exporting customers’ data to an unknown third-party.

Group 6, the “most high-profile Magecart group” responsible for the attacks against British Airways and Newegg this year. This group is highly focused on top-tier targets because it’s possible to extract huge volumes of customers’ data from such companies. The researchers suspect that even if the skimmer is discovered and shut down, they accomplish the task quickly.

Group 6 has sold its stolen data on a dump and credit card shop, says the report.

Finally, the report references Group 7, which has emerged in 2018, is already in the news for having compromised at least 100 stores. The researchers they make an interesting observation on how the group takes stolen information: “Instead of using a dedicated host for the injection and the drop, this group uses compromised sites as proxies for its stolen data,” the researchers note. “Because Group 7 make use of websites that are already compromised sites, and that makes it very difficult to take them down.”