For the last few years, the Magecart group—the name given to a collective of at least seven cybercrime outfits—has been a scourge to e-commerce. Using the digital equivalent of physical credit-card skimmers on high-profile websites, the group is alleged to be responsible for the loss of hundreds of thousands of payment card records and the personal data of its victims. Flashpoint and RiskIQ yesterday released a report profiling the groups behind the breaches, and the murky criminal underworld that lies within.
The Magecart threat grew out of a single group’s activities in 2015 when it began compromising vendor websites and injecting skimmers. Several thousand stores were affected during that time. RiskIQ became aware of the threat and began tracking it in 2015. A new group emerged in 2016 with a skimmer and infrastructure distinct from the first group. The evolution of skimmers and the multiplication of groups continues to this day. Some of these groups cast wide nets and hit as many vendors as possible. Some carefully conceal their skimmer. Some target third parties to gain access to the thousands of vendors they serve. Some limit their victims to a few high-value organisations and use specially tailored skimmers, domains, and attacks against them. The threat actors continue to grow, evolve, and learn.
Growing threat within e-commerce
Massive online spending has given rise to e-shopping giants such as Amazon and Alibaba, as well as multitudes of small and medium-sized shops. It is this growth that has created a new hidden economy around the theft and sale of credit card data. Software developers create kits for stealing card data from compromised stores but take no part in the actual compromise. They earn money by either selling their kits or entering into profit-sharing agreements with groups or individuals who compromise organisations and then use their kit to inject the skimmer and steal card data.
Criminals may compromise stores through their own means or they may simply purchase access to compromised vendor sites through illicit stores on the dark web where such access is sold. The price for each compromised vendor site is set according to its value as determined by those running the illicit stores.
Once the card data is stolen it must be monetised. There are further illicit stores that specialise in the sale of stolen card data. Then the parties that buy the cards use them to make purchases. Criminal groups may also cut out the middleman and instead recruit unwitting persons to receive goods purchased with stolen card data and re-ship them overseas to the criminal group, who then sell the goods in their home countries.
Whilst we have all heard of Magecart as the umbrella name to describe multiple criminal groups that perform skimming attacks to obtain payment information, RiskIQ actively track each individual group performing these attacks. These groups are defined on several different. The following is a list of criteria we use for this classification:
- Infrastructure is unique:
a. There is a unique pool of IP addresses
b. There is a unique pool of domains
c. There is a specific server setup fingerprint
- Skimmer is unique:
a. A unique obfuscation technique is used
b. The skimmer is unique in its functioning or approach to getting data
c. The skimmer is loaded in a unique way
- Targeting is unique:
a. Their pool of targets has a unique presence/fingerprint
b. The way they gain access to their targets is unique
c. The way they place the skimmer on their victim’s site is unique d. The method they use to reach their victims is differentiated
Whilst these threat groups highlight the different operations under the Magecart umbrella and analyse their modus operandi. Another key threat lies within brand impersonation.
Brand impersonation is a persistent problem on the internet—the report highlights thousands of incidents where customers are tricked into false and fraudulent use of their favourite brand across the web and mobile ecosystem.
The report highlighted widespread brand-impersonation campaign making use of skimming scripts for credit card skimming. Rather than compromising stores, the threat actors behind the brand-impersonation campaign sets up stores that mimic legitimate vendors such as Nike, Adidas, The North Face, and others. RiskIQ observed more than 800 sites hosting these brand impersonation/skimming stores since June 2018.
The lack of visibility is the biggest weakest that most organisations are facing, seemingly unaware of their vulnerabilities and if they’ve been breached. Today’s e-commerce landscape is a fertile ground for Magecart attacks, especially amongst the vast number of SME’s.
To combat the Magecart threat, e-commerce companies need to practice general good security practices, but also perform additional integrity checking such as monitoring servers for any file modifications.
From a consumer perspective, the report highlights that there is a good chance that their credit card number has been compromised. Therefore, suggestions around consumer protection include getting new cards from their bank and consider setting up additional verification steps on their payment accounts. Banks don’t always have two-factor authentication enabled by default, but bank customers can add a second step to their payment process in which they have to provide additional proof of identity. This way, even when a card is skimmed, payments cannot go through as the attackers cannot perform this second step of verification.