Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Magecart Hackers Change Tactics Following Public Exposure

One of the multiple hacking groups operating under the “Magecart” umbrella has changed its tactics following a November 2018 report exposing their activity. 

One of the multiple hacking groups operating under the “Magecart” umbrella has changed its tactics following a November 2018 report exposing their activity. 

Generically referred to as Group 4, the actor was described as the most advanced of the six groups that have been employing Magecart web skimmers at the time (the number has increased since), and RiskIQ’s security researchers even suggested the group might originate from established cybercrime operations. 

The public exposure apparently determined Group 4 to make a series of changes to their modus operandi, especially since parts of their infrastructure were also taken down, RiskIQ now reports

Since November, the group has been observed registering close to a hundred new domains and setting up a large pool of servers to route these domains and deliver skimmers. 

The hackers removed IP overlaps and only put a maximum of five domains on one IP address and ensured they don’t route to other IPs, pool IP space with different hosters (previous infrastructure was fixed on bulletproof hosters or those that would ignore malicious activity). Furthermore, the group now uses a variety of standard JavaScript libraries.

“Just like we’re professionals in cybersecurity, they’re professionals in cybercrime. We may not hold their ‘job’ in high regard, but Group 4 is an advanced group of professional criminals and a dangerous adversary,” RiskIQ says. 

The domains associated with the group’s skimming activities are proxies that point toward a large internal network. The researchers also discovered that the proxies upstream skimmer requests towards a backend delivering the skimmer script.

Other Magecart hackers rely on kits that are a combination of PHP and MySQL-based backends. This means that the same server that obtains the stolen data is also the source of the skimming code and hosts the backend. 

In addition to changing their infrastructure, the group also updated key elements of the skimmer, which no longer uses the old functionality, although it continues to include old code. Features in the code are now enabled with feature flags, with new features being turned off by default. 

Previously, the skimmer was an overlay payment phishing system, but the new code uses skimming existing payment forms instead. The skimmer goes through page forms and pulls out the payment data, which reduces it to only around 150 lines of code. 

It also adds a new event listener to hook into the process of the payment-completion process, which listens for the usage of the return/enter key. The option is added with a feature flag and might be experimental, as the researchers only observed it turned off. 

The exfiltration URL was simplified, as the code picks a random domain from a pool of pre-configured domains; takes the page scheme, adds the domain and generates a three letter random .jpg file path; appends the skimmed data as URL arguments; and includes the URL as an image element and removes it as soon as it’s loaded. The exfiltrated data is encrypted. 

Related: Seven Hacking Groups Operate Under “Magecart” Umbrella, Analysis Shows

Related: New Magecart Group Targets French Ad Agency

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...