Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Magecart is more than just a security problem—it’s also a business problem.
When threat actors breached British Airways in September resulting in the compromise of thousands of customers’ credit cards, the world got a look at what the fallout of a modern security breach looks like. Immediately afterward, a law firm launched a £500 million class action suit. On top of that, under GDPR, firms found liable for a breach can be fined up to 4% of turnover, or £500 million in British Airways’ case.
Magecart, the digital credit card skimming groups behind some of the most impactful hacks of 2018, was the culprit. As the world saw, Magecart is more than just the flavor of the week hacking group—it’s a digital threat that will haunt businesses long into the future. That’s why it’s foolish to view Magecart as anything but a new threat category all its own. Like malware, phishing, domain infringement, etc., organizations now need a long-term solution to address it.
2018 saw numerous high-profile digital credit card-skimming attacks against major international companies conducted by Magecart. Alongside British Airways, these included the likes of Ticketmaster and Newegg. These infamous breaches led to the group garnering unprecedented attention with WIRED naming it as one of the eight “most dangerous people on the internet in 2018”.
Security professionals now have Magecart firmly on their radar but what they must remember is that the group is continuously evolving, as seen most recently with the never-before-documented Magecart Group 12.
Magecart is becoming an even more significant digital threat as it continues to scale and evolve. The term, ‘Magecart,’ encompasses a wide range of groups that are all joined together by the same goal: to conduct web form skimming campaigns that help them amass payment information that Magecart actors then monetize.
There are currently approximately 12 groups – the twelfth being a recent find – and researchers at RiskIQ are always uncovering more. Existing groups are ambitiously harnessing what are proving to be extraordinarily successful tactics, one of the most notable being web supply chain attacks. While we have attributed this style of attack to Magecart Group 5, we have recently seen a new group, Group 12, take the web-based supply chain attack in a new direction.
These supply chain attacks compromise vendors that supply code often used to add or improve site functionality. This code integrates with thousands of websites, so when it’s compromised, the sites of all of the customers that use it are affected in kind. This large-scale access to websites gives Magecart access to a wide range of victims at once.
Part of what makes these attacks so successful is that businesses lack visibility into their web-facing attack surface. In many cases, they have no idea that the third-party code on their web assets is dangerous—or that they’re running that code at all.
In the months and years to come, it is likely that new variants of these sorts of web skimming attacks will emerge, either by the current, or new Magecart groups. While payment data is currently the focus, the move to skimming login credentials and other sensitive information has already been seen, which widens the scope of potential Magecart victims far beyond just e-commerce.
For businesses, this means that there needs to be a continued focus on visibility into internet-facing attack surfaces and increased scrutiny of third-party services that form an integral part of modern web applications. What Magecart’s recent ravages have shown is that a lot of the investments that have been made in securing corporate infrastructure have not worked. Companies will continue to be overwhelmed by the scale and tenacity of groups of its kind, especially as attacks launch from outside the firewall and the data theft occurs on in the user’s browser, well outside the scope of network monitoring tools.
Consumers are at an increased risk of seeing their personal information compromised as a result of this development since it is they who sit on the valuable data. Magecart Group 5 and Group 12 have capitalized on the fact that the security controls of small companies who provide services to enhance the websites of global brands are far less developed than the security controls of the global brands themselves.
What all of this means is that even if a company’s own security measures are strong, they can fall on the weaknesses of third parties, many of which are unknown to the security team. Development teams need to be aware of the potential risks is using these services and should work with the security team on ensuring they are assessed, monitored and managed.
What’s more, with the increased efficiency of credit-card skimming groups the time it will take for a large number of consumers to have their data stolen, seemingly out of nowhere, is decreasing quickly. In the end, it doesn’t matter to consumers whether their data is stolen as a result of a traditional breach or a web-based supply chain attack. What is at stake is the reputation of organizations that run payment forms online, and the overall confidence of online shoppers.
Lately, you’ve heard a ton of chatter from security vendors around Magecart—what it is, how it operates, and how you can defend against it. The problem is, most of these vendors lack Magecart expertise because they have no way of seeing it in the wild themselves. Many are copying the research of others, and some are even adding to the confusion by calling Magecart something utterly different, like ‘form jacking.’
Cut through the noise. Because of RiskIQ’s internet-scale visibility and ability to view a businesses’ internet-facing attack surface as Magecart sees them, our researchers and technology first exposed, profiled and analyzed Magecart, and now continue to detect it as it evolves.
What are the keys to a Modern Vulnerability Risk Management Program? On Tuesday, @joshuamayfield and @josh_zelonis will examine why defending your organization's digital attack surface starts with being able to discover unknowns and investigate threats: https://t.co/kCxgPW0Ckb
IGNITE is just 10 days away! RSVP now to kick off #RSAC and party with Flashpoint, @elastic, @ThreatQuotient, @Siemplify, and @RiskIQ: https://t.co/hnlh0UhHEo
The largest UK #GDPR fine was £183m in 2018 as B.A. booking website was hit by Magecart ccard skimming code. @RiskIQ worked with https://t.co/E3JRdvCMWA and Shadowserver to take down the malicious domains. https://t.co/iiH69vbKFK
The theme of this year's @cctxcanada 4th annual collaboration event is "Give and Take: Why helping others drives our success." RiskIQ's Geoff Roote explains the modern Internet Attack Surface and why defending the web is a collaborative community effort.