Breach Response , Cybercrime , Cybercrime as-a-service

Magecart Cybercrime Groups Harvest Payment Card Data

Card-Scraping Code Has Infiltrated Over 100,000 E-Commerce Sites
Magecart Cybercrime Groups Harvest Payment Card Data
Payment card data stolen from retailer Newegg by Magecart Group 6 appeared for sale on the notorious carder site Joker's Stash about a week after the attack was remediated.

Over the past year, there's been a surge in attackers implanting code on websites that has allowed them to steal payment card data from British Airways, Newegg, Ticketmaster and others, all tied to what security researchers call Magecart.

See Also: Third-Party Cyber Risk Management - A Data-Driven Approach

But who or what is Magecart?

"Magecart is an umbrella term given to at least seven cybercriminal groups that are placing digital credit card skimmers on compromised e-commerce sites at an unprecedented rate and with frightening success," according to a new report from security firms RiskIQ and Flashpoint.

To be clear: Magecart is a term applied to multiple attack groups that share a similar - and unfortunately very effective - cybercrime modus operandi.

"Magecart is simply the term we have for an MO that is as follows: 'Webskimming for payment information,'" Yonathan Klijnsma, a threat researcher at RiskIQ, tells Information Security Media Group.

Different Infrastructure, Skimmers, Targeting

RiskIQ differentiates the groups based on each one using unique infrastructure, skimmers and targeting tactics. "The different groups aren't in any way associated, besides being competitors to each other in the field of payment card skimming for profit," Klijnsma says.

Magecart attacks are characterized by attackers using certain types of "digital skimmers," or code designed to swipe information disclosed during e-commerce transactions.

So far, RiskIQ has counted at least seven cybercrime groups that it classifies as being part of Magecart, although it says that's not meant to be an exact figure.

Source: RiskIQ/Flashpoint

"We break down the first six groups of the set we track, but there are many more groups and individuals taking part in Magecart web skimming," according to the report, which is meant to highlight some of the tactics these groups employ as well as the scale at which they can operate.

Ever-Expanding List of Victims

Some of this information has been compiled thanks to web crawlers maintained by RiskIQ. These scan the internet looking for websites that have been injected with known Magecart attack code.

Beyond British Airways, Newegg and Ticketmaster, other victims of Magecart named in the report - all previously notified by researchers and the infections curtailed - include Annex Cloud, Clarity Connect, CompanyBe, Conversions On Demand, Feedify, flashtalking, Inbenta, PushAssist, SAS Net Reviews, ShopBack, Shopper Approved and SociaPlus.

The researchers say they have withheld some information about the groups and their victims because of active law enforcement investigations or the inability to notify some victims. While they've notified numerous victims, the sheer scale of Magecart attacks makes it difficult to reach them all. "For that reason, we focused on taking on Magecart at its source by taking down its infrastructure with the help of AbuseCH and ShadowServer," they say in the report, referring to two sites that work to battle malware, botnets and online fraud.

Stealing payment card data by exploiting e-commerce shopping cart functionality isn't a new phenomenon. As the report notes, such risks date from at least April 2000, when a backdoor in Cart32 shopping cart software that was at least a year old was discovered. The backdoor, which was a secret password built into the software, would have allowed attackers to steal payment card data.

Since then, tactics have continued to evolve. Magecart attacks date from 2015, when they were spotted by security researcher Willem de Groot, and they soon were tied to the compromise of thousands of e-commerce sites.

"The original Magecart skimmer was comprised of JavaScript embedded into e-commerce pages," the report notes. "Whenever card data was entered into a form, the skimmer copied the form and sent the stolen card data to a drop server. In this skimmer version, the drop server was the same as the one serving the skimmer. Though it has evolved over the years, tailored by other groups to better fit their needs, the basic elements of the skimmer are still in use."

Subsequently, a new group appeared in 2016 that used a different skimmer and infrastructure, and the groups have continued to increase since then.

Tactics Vary

Researchers say Magecart groups use a variety of tactics. Some Magecart groups are more stealthy and target a handful of high-value targets at a time. Others instead target a vendor or third-party supplier to organizations that handle payment card data, seeking to maximize their haul, even if it's only for the short term.

"The different [Magecart] groups aren't in any way associated, besides being competitors to each other in the field of payment card skimming for profit."
—Yonathan Klijnsma, RiskIQ

Group 5, for example, has been tied to attacks that appear to have compromised at least 100,000 organizations and sites, according to the report. That victim count only includes those organizations that had attack code embedded. It doesn't count the number of individuals who used the sites and subsequently had their payment card data compromised.

"This group compromised such a wide variety of services that we've even seen the skimmer appear in advertisements and on major CDNs [content delivery networks]," the report notes.

Group 5 was also responsible for the breach of Ticketmaster. But the report notes that it began as a December 2017 breach of website visitor tracking software SociaPlus, which led to the attackers intercepting data from Ticketmaster, a user of SociaPlus. After that, however, the report notes that the attackers appear to have begun focusing solely on Ticketmaster. In February 2018, the group compromised support software built by Inbenta as part of its expanding attack against Ticketmaster, the report notes.

Skimmer Code Is Easily Available

Some Magecart attack groups seem to bring more advanced skills to bear, seeking to maximize their illicit returns from any given breach. That includes Group 6, says Klijnsma, which has been tied to the breach of Newegg, as well as U.K. flagship carrier British Airways, which is owned by International Airlines Group.

"This can be seen even with the recent IAG statement that a server in the internal network was also pilfered for payment information," he says. "This group takes their time to understand the victim's network to get as much out of a breach as possible."

The report notes that Group 6 tends to route its stolen payment card data to a single carder site for resale. While the report doesn't name this site, based on the referenced images, it's clearly the notorious carder site called Joker's Stash (see: The Art of the Steal: FIN7's Highly Effective Phishing).

Stolen British Airways payment card data appeared for sale on a carder site about one week after BA expunged the Magecart attack code. (Source: RiskIQ/Flashpoint)

Such attacks, however, have been traced to more than just Magecart groups.

In the joint report, Flashpoint notes that it's found four especially prolific underground skimmer vendors that market and sell their sniffer kits on the cybercrime underground.

"They prefer to communicate both via the forums and one-on-one encrypted Jabber communications when discussing their offerings," Vitali Kremez, director of research at Flashpoint, tells ISMG (see: Cybercrime Markets Sell Access to Hacked Sites, Databases).

Different groups are organized in different ways, based on the complexity of their operation as well as how they've chosen to try and monetize their activities. "For example, some underground vendors prefer to join criminal breach groups to share profits from e-commerce credit card breaches," Kremez says. "Others are simply supporting their sniffer toolkits to multiple buyers in the underground."

Specialized Cybercrime Ecosystem

Magecart mirrors much of what's previously been seen on the cybercrime front: The individuals composing Magecart appear to have originated "from the Eastern European cybercriminal ecosystem," Kremez says.

Like other criminals working online who seek an illicit payday, Magecart groups target Western countries' payment card data. "U.S. and Western European cards are most profitable for fraud," Klijnsma says. "This gives them good motivation to go mostly for Western countries as the return will be better on those cards they skim."

These efforts, however, are still but one piece in the highly specialized cybercrime ecosystem. Indeed, most Magecart groups monetize their card-stealing endeavors by routing their stolen payment card data to underground credit card shops for sale, the researchers say. From there, buyers will then typically use money mules to try and convert the payment card numbers into cash, or to buy and ship stolen goods.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.