Anything you type, Magecart will take
RiskIQ now detects several Magecart breaches hourly and has observed Magecart skimmers in the wild millions of times. Many of these attacks are amateurish, using crude tactics and pre-packaged tools to try to get a skimmer on any site and any webpage possible. However, there are also sophisticated actors pushing the boundaries of what Magecart can do, and these advanced attacks could very well become the new normal.
Rather than hoping one of their skimmers will reach a website, these skilled Magecart operatives will target large retailers specifically, studying the e-commerce platform carefully to understand it's vulnerabilities and interworkings. Their goal is to custom-build skimmers in line with the site's appearance and functionality so that it can stealthily intercept not only credit card data but also other types of information users type into parts of the site usually off-limits to skimmers. For example, skimming information typed into online shopping profiles, in which customers save names and shipping addresses, can enable Magecart actors to combine skimmed PII with its corresponding financial data to create "fullz," packages of data highly valuable on the black market.
There are a variety of ways to attack the functionality of a website, and operatives with the right insight and enough time will find them.
Magecart will attract threat actors from all over the threatscape
In our "Fullz House" report, we showed how a threat group crossed over from the phishing ecosystem into Magecart. Their objective was to add stolen credit card information to the PII they were already taking in a lucrative bid to produce and sell fullz.
Bringing an entirely new skill set to the online skimming game, this group spun up fake payment pages masquerading as legitimate financial institutions. They then redirected unwitting phishing victims to these skimmer-rigged pages to fill out their payment data. This new skimming-phishing hybrid threat tactic means that even stores that send customers to external payment processors are vulnerable to Magecart.
It doesn't matter how online transactions are structured nowadays, attackers can and will capture full packages of individuals' identifying and financial information.
When it's lucrative, cryptojacking will surge
There's been a recent decline in browser-based cryptojacking, i.e., secretly using someone's computing power to carry out the cryptomining task without permission. Due to the plummeting price of cryptocurrency, people abandoned their crypto-mining endeavors because the surging cost of mining it made the activity unviable.
In 2017, Cyptojacking affected 500M users, and 2018, RiskIQ detected an average of 495 new hosts running cryptocurrency miners each week, with hundreds in the Alexa top-10,000. That pace can continue in 2020 and beyond.
The RiskIQ Intelligence Connector for Microsoft Azure Sentinel Is the Context-Rich Force Multiplier Security Teams Need