Magecart Group 8 has been targeting online retailers since 2016. This distinct skimming group first came to light when RiskIQ, led by researcher Yonathan Klijnsma, analyzed its skimmer in 2017 and exposed attacks on Nutribullet in February 2020 and MyPillow and Amerisleep in 2019.
The group hasn't fixed what isn't broken and today still uses the same skimmer and many of the same tactics and techniques to steal payment data. When selecting its targets, the group seems to continue to favor the home improvement industry, specifically hardware, real estate services, and interior design and decor.
Supported by our Internet Intelligence Graph, our researchers identify patterns to uncover new threat infrastructure and attacks across the global threat landscape. For Magecart Group 8, its choice of hosting providers shined new light on its skimming activities. RiskIQ researchers identified a pattern in the group's use of hosting providers Flowspec, JSC TheFirst, and OVH and its propensity to transition potentially inactive infrastructure from Bulletproof hosting providers to legitimate ones such as Velia.net.
Flowspec’s webpage offers various creative spellings of “bulletproof” services.
Hundreds of Skimming Domains Enabled by Bulletproof Hosting
Researchers across the industry are using Twitter to share and expose recent Group 8 infrastructure to raise awareness of the threat. Investigation into reported infrastructure reveals the use of Flowspec hosting services, a known bulletproof hosting provider that can provide infrastructure protection and support to those involved in malicious activities.
Recent tweets from researchers “unmaskparasites” and “p0x53” tracking Group 8 activity.
Our researchers came across a Group 8 domain surfaced by our Internet Intelligence Graph, which helps us monitor Magecart activity worldwide. They noted at least two associated skimmer JavaScript files targeting retailers. At the time of this publication, the domain has been hosted on a Flowspec IP since March 2021.
Further research into the hosting of Group 8 skimmer activity provided them with several potentially malicious IPs skimmer domains and a history of hundreds of compromised retail domains.
Several Group 8 skimmer domains
Hosting Patterns: Two Bulletproof, One Not
Our research shows that Group 8 domains were mainly hosted on Flowspec IPs going as far back as 2018 and became unroutable for a period—in some cases, exceeding a year—before transitioning to Velia.net, where they appear dormant and parked, possibly for future use. Velia.net hosting does not have the checkered history of facilitating malicious behavior quite as heavily as JSC TheFirst and Flowspec bulletproof hosting services.
Our researchers found that this same pattern of behavior is taking place with infrastructure previously hosted on OVH and JSC TheFirst—an unroutable period followed by potentially dormant hosting on Velia.net, WorldStream, and Amazon.
RiskIQ researchers also see this pattern emerge while investigating the historical Group 8 domains for Flowspec and JSC TheFirst hosting activity. In a sample from 2018 activity, the researchers detected the Group 8 skimmer active for several months on a domain hosted on an OVH IP address. It remained unroutable after December 25, 2018, until 2020, when it moved to Google, followed by Amazon hosting.
Yet another example of this pattern is a Group 8 domain hosted on JSC TheFirst between March 1, 2018, and September 4, 2019. As with the others, it transitioned to Velia.net hosting, where it was not seen hosting a malicious file.
You can explore the full list of IOCs that surfaced in this investigation here.
Patterns Tell a Story
At RiskIQ, we are routinely expanding our understanding of Magecart groups and their activity, which continues to proliferate and evolve. We've been tracking Magecart Group 8 activity since 2017. After some recent reporting by other researchers tracking this group's expanding footprint, we took another look with a fresh perspective to update our profile on Group 8 to enable our customers to better detect its malicious activity.
Patterns in malicious infrastructure tell a story and can expose otherwise clandestine - and successful - threat campaigns. The sheer amount of infrastructure used by Magecart Group 8 points to them finding sustained success in skimming online retail customers. However, by having an internet-wide view of the threat landscape, we can begin to detect patterns that unearth infrastructure that help RiskIQ, our partners, and our customers mitigate its impact.
