At least seven different cybercrime groups referred to as “Magecart hackers” are placing digital credit card skimmers on compromised e-commerce sites, Flashpoint and RiskIQ reveal in a joint report.
Active since at least 2015, the Magecart hackers steal credit card information by placing digital skimmers on the websites they visit.
Although the hackers managed to remain unnoticed for about three years, they gained a lot of attention lately, after targeting high-profile online destinations, including Ticketmaster, British Airways, and Newegg.
More recently, the hackers hit third-party services, such as Feedify and Shopper Approved, and even targeted Magento extensions. The attacks have increased in number and have been highly successful in compromising e-commerce sites, yet the number of victims is difficult to determine.
After conducting a thorough investigation into these attacks, Flashpoint and RiskIQ security researchers discovered that the Magecart umbrella isn’t representative for a single group of attackers, but for at least seven of them, each with their own skimmers, tactics, targets, and other unique elements. The list, however, is not comprehensive.
The first two groups, which the researchers merged into one, likely use automated tools to breach and skim sites. The attackers compromised several thousands of websites with JavaScript code and used a sophisticated reshipping scheme for monetization: mules would buy goods using the stolen data and send the goods to the hackers, who would then resell the goods for profit.
Group 3, the researchers say, attempts to compromise a high volume of targets, to hit as many victims as possible. Their skimmer checks if any of the forms on the checkout page holds payment information, which makes it unique when compared to other Magecart groups.
Group 4, which the researchers say is extremely advanced, uses code that can blend in with the victims’ sites to hide in plain sight and employs various methods to avoid detection. Their skimmer is only served if the request is made with a valid user-agent at the bare minimum.
The group likely “originates from another crime business involved in malware distribution and hijacking of banking sessions using web injects,” the security researchers note.
Instead of going for individual stores, Group 5 hacks third-party suppliers to breach a large number of targets. Their skimmer is fairly typical among Magecart groups, likely because the hackers purchased the same kit as the others, but the group is responsible for the Ticketmaster incident, and Feedify and Shopper Approved attacks, among many others.
Group 6 only goes for top-tier targets, such as British Airways and Newegg, in an attempt to secure a high-volume of traffic and transactions. Despite using a simple skimmer, the group has had massive impact, even if their malicious code wasn’t present on the target websites for long.
Without a well-defined modus operandi, Group 7 attempts to compromise any e-commerce website it can find. The hackers use a simple skimmer, tailored for the specific type of checkout process each of their victims uses. The group leverages compromised sites as proxies for its stolen data.
“Magecart is only now becoming a household name. However, its activity isn’t new and points to a complex and thriving criminal underworld that has operated in the shadows for years,” RiskIQ and Flashpoint note in their joint report.
The security researchers also note that web-skimming isn’t unique to Magecart. One unrelated group uses the technique in a widespread brand-impersonation campaign, to steal credit card data. The cybercriminals set up stores that mimic legitimate vendors such as Nike, Adidas, The North Face, and others, and place the skimmers on them. Over 800 such brand impersonation/skimming stores were observed since June 2018.
Related: Magecart Hackers Now Targeting Vulnerable Magento Extensions