Magecart: New Research Shows the State of a Growing Threat

Executive Guardian

Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.

Read the Datasheet

Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface

Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.

Get the Report

Threat Hunting Workshop Series

Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.

Attend an Upcoming Workshop

Blog

Magecart: New Research Shows the State of a Growing Threat

October 4, 2019

Team RiskIQ

Magecart is a rapidly growing cybercrime syndicate comprised of dozens of subgroups that specialize in cyberattacks involving digital credit card theft by skimming online payment forms. It’s also fundamentally changing the way we view browser security.

A global phenomenon, Magecart is threatening the ability of consumers worldwide to shop online safely by stealthily intercepting their credit card data via their browser without the consumer or website owner’s knowledge. Although it’s just now getting global attention, Magecart has been active for nearly ten years—RiskIQ’s earliest Magecart observation occurred on August 8th, 2010.

Magecart works by operatives gaining access to websites either directly or via third-party services in supply-chain attacks and injecting malicious JavaScript that steals the data shoppers enter into online payment forms, typically on checkout pages. Quietly, it’s eating away at the e-commerce industry because website owners lack visibility into the code that’s running on their site, which is a bigger problem than most people realize. Skimming code can exist on a breached website for weeks, months, or even indefinitely, victimizing any visitor that makes purchases on that site.

RiskIQ’s global discovery platform gathers internet-wide telemetry that enables us to view websites as Magecart actors do; a unique perspective that provides unmatched visibility into this surging threat. In our latest report, we share the valuable insights gleaned from this telemetry data, which yields critical insight into the state of Magecart, whose skimmers have appeared over two million times, and directly breached over 18,000 hosts.

Download the report here, which includes insights such as:

17% of all Malvertisements detected by RiskIQ contain Magecart skimmers

The average length of a Magecart breach is 22 days with many lasting years, or even indefinitely.

Shopping platforms such as Magento and OpenCart are the lifeblood of many Magecart groups. RiskIQ has detected 9,688 vulnerable Magento hosts.

Magecart infrastructure is vast, with 573 known C2 domains, and 9,189 hosts observed loading C2 domains.

Because Magecart skimmers stay on websites for so long, threat actors are purchasing Magecart infrastructure that’s gone offline to assume access to these breached sites.

The entire report, containing additional insights and information, is available for download here: https://www.riskiq.com/research/magecart-growing-threat/

Return to Blog Home

Search

External Threat Management (244)

Labs (89)

Analyst (81)

Magecart (22)

Interesting Crawls (6)

Connect with us

Featured Post

Full(z) House: A Digital Crime Group Using a Full Deck to Maximize Profits

November 26, 2019

Yonathan Klijnsma

Tweets by @riskiq

RiskIQFollow

RiskIQ is the leader in attack surface management. We help organizations discover, understand, and mitigate exposures across all digital channels.

RiskIQ @RiskIQ·

RiskIQ's #COVID19 Daily Update for 4/3:

➡️U.S. and European countries evaluating phone-based surveillance to combat spread
➡️KS first state to use GPS to track residents' phones
➡️Carbon emissions could fall by 5% year-on-year

Read the full update here: https://bit.ly/2Uv3CMV

Reply on Twitter 1246191757307465730 Retweet on Twitter 1246191757307465730 Like on Twitter 1246191757307465730 Twitter 1246191757307465730

Retweet on Twitter RiskIQ Retweeted

kristina liberatore @kmillerlib·

COVID-19: Tips for safely #shopping online https://wgntv.com/midday-news/covid-19-tips-for-safely-shopping-online/ @SEGinty @riskiq #covid19 #cybersecurity

Reply on Twitter 1246148856015880194 Retweet on Twitter 12461488560158801944 Like on Twitter 12461488560158801942 Twitter 1246148856015880194

Retweet on Twitter RiskIQ Retweeted

Dcode @dcodethegov·

@daphneleprince @ZDNet From improving cyber posture to detecting outbreaks & identifying patterns, these emerging tech companies are support the US government's Covid-19 response efforts: https://dcode.co/covid-19-response-dcode-alumni/ @Trifacta @myWickr @DataRobot @OmniSci @RiskIQ @thresher_io @fraym_io @IonChannel_io

Reply on Twitter 1246109789777735683 Retweet on Twitter 12461097897777356831 Like on Twitter 12461097897777356833 Twitter 1246109789777735683

Retweet on Twitter RiskIQ Retweeted

David Bisson @DMBisson·

11h

MakeFrame: Magecart Group 7’s Latest Skimmer Has Claimed 19 Victim Sites https://www.riskiq.com/blog/labs/magecart-makeframe/ @RiskIQ #Magecart #skimmer

Reply on Twitter 1246069835685072896 Retweet on Twitter 12460698356850728961 Like on Twitter 12460698356850728961 Twitter 1246069835685072896

RiskIQ @RiskIQ·

2 Apr

RiskIQ's #COVID19 Daily #Cybercrime Update for 4/2:

➡️#Healthcare providers and facilities in the U.S. and Europe see a surge of #ransomware attacks
➡️ZDNet identified five COVID-19-related malware strains
➡️Updated #spam stats

Read the full update here: https://bit.ly/2QwfRHS

Reply on Twitter 1245848016939937793 Retweet on Twitter 1245848016939937793 Like on Twitter 1245848016939937793 Twitter 1245848016939937793

Blog