One of the multiple hacking groups operating under the “Magecart” umbrella has changed its tactics following a November 2018 report exposing their activity.
Generically referred to as Group 4, the actor was described as the most advanced of the six groups that have been employing Magecart web skimmers at the time (the number has increased since), and RiskIQ’s security researchers even suggested the group might originate from established cybercrime operations.
The public exposure apparently determined Group 4 to make a series of changes to their modus operandi, especially since parts of their infrastructure were also taken down, RiskIQ now reports.
Since November, the group has been observed registering close to a hundred new domains and setting up a large pool of servers to route these domains and deliver skimmers.
“Just like we’re professionals in cybersecurity, they’re professionals in cybercrime. We may not hold their ‘job’ in high regard, but Group 4 is an advanced group of professional criminals and a dangerous adversary,” RiskIQ says.
The domains associated with the group’s skimming activities are proxies that point toward a large internal network. The researchers also discovered that the proxies upstream skimmer requests towards a backend delivering the skimmer script.
Other Magecart hackers rely on kits that are a combination of PHP and MySQL-based backends. This means that the same server that obtains the stolen data is also the source of the skimming code and hosts the backend.
In addition to changing their infrastructure, the group also updated key elements of the skimmer, which no longer uses the old functionality, although it continues to include old code. Features in the code are now enabled with feature flags, with new features being turned off by default.
Previously, the skimmer was an overlay payment phishing system, but the new code uses skimming existing payment forms instead. The skimmer goes through page forms and pulls out the payment data, which reduces it to only around 150 lines of code.
It also adds a new event listener to hook into the process of the payment-completion process, which listens for the usage of the return/enter key. The option is added with a feature flag and might be experimental, as the researchers only observed it turned off.
The exfiltration URL was simplified, as the code picks a random domain from a pool of pre-configured domains; takes the page scheme, adds the domain and generates a three letter random .jpg file path; appends the skimmed data as URL arguments; and includes the URL as an image element and removes it as soon as it’s loaded. The exfiltrated data is encrypted.