Magecart: New Research Shows the State of a Growing Threat

External Threat Management Magecart

Magecart: New Research Shows the State of a Growing Threat

October 04, 2019

By Team RiskIQ

Magecart is a rapidly growing cybercrime syndicate comprised of dozens of subgroups that specialize in cyberattacks involving digital credit card theft by skimming online payment forms. It's also fundamentally changing the way we view browser security.

A global phenomenon, Magecart is threatening the ability of consumers worldwide to shop online safely by stealthily intercepting their credit card data via their browser without the consumer or website owner's knowledge. Although it's just now getting global attention, Magecart has been active for nearly ten years—RiskIQ's earliest Magecart observation occurred on August 8th, 2010.

Magecart works by operatives gaining access to websites either directly or via third-party services in supply-chain attacks and injecting malicious JavaScript that steals the data shoppers enter into online payment forms, typically on checkout pages. Quietly, it's eating away at the e-commerce industry because website owners lack visibility into the code that's running on their site, which is a bigger problem than most people realize. Skimming code can exist on a breached website for weeks, months, or even indefinitely, victimizing any visitor that makes purchases on that site.

RiskIQ's global discovery platform gathers internet-wide telemetry that enables us to view websites as Magecart actors do; a unique perspective that provides unmatched visibility into this surging threat. In our latest report, we share the valuable insights gleaned from this telemetry data, which yields critical insight into the state of Magecart, whose skimmers have appeared over two million times, and directly breached over 18,000 hosts.

Download the report here, which includes insights such as:

17% of all Malvertisements detected by RiskIQ contain Magecart skimmers

The average length of a Magecart breach is 22 days with many lasting years, or even indefinitely.

Shopping platforms such as Magento and OpenCart are the lifeblood of many Magecart groups. RiskIQ has detected 9,688 vulnerable Magento hosts.

Magecart infrastructure is vast, with 573 known C2 domains, and 9,189 hosts observed loading C2 domains.

Because Magecart skimmers stay on websites for so long, threat actors are purchasing Magecart infrastructure that's gone offline to assume access to these breached sites.

The entire report, containing additional insights and information, is available for download here: https://www.riskiq.com/research/magecart-growing-threat/

Featured Posts

External Threat Management | Labs

Bear Tracks: Infrastructure Patterns Lead to More Than 30 Active APT29 C2 Servers

RiskIQ's Team Atlas has uncovered still more infrastructure actively serving WellMess/WellMail. The timing here is notable. Only one month ago, the American and Russian he...

Joining Microsoft is the Next Stage of the RiskIQ Journey

Today Microsoft announced its intent to acquire RiskIQ, representing the next stage of our journey that's been more than a decade in the making. We couldn't be more ...

Media Land: Bulletproof Hosting Provider is a Playground for Threat Actors

Bulletproof hosting (BPH) is a collection of service offerings catering to internet-based criminal activity. These businesses often operate in a grey area, attempting to appea...

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor

RiskIQ Illuminate® Internet Intelligence Platform Datasheet

Five Security Intelligence Must-Haves For Next-Gen Attack Surface Management

5-Questions Security Intelligence Must Answer

Threat Investigations and Response RiskIQ Solution Brief

Illuminate One-Hour On-Demand Event