Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
RiskIQ Digital Threat Management Platform Datasheet
Learn about our platform and products.
Read the Datasheet
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
October 30, 2018, Team RiskIQ
With Halloween right around the corner, we’re diving into the “tricks” and “treats” of digital threats. We’ll show you recent instances we’ve observed of threat actors using bait, or “treats” to lure victims to their ‘tricks,” malicious campaigns that harm customers, employees, and brands. In this blog, we’ll cover six recent scenarios involving tasty treats that turned out to be ghoulish tricks.
For our first scenario, we look at third-party suppliers and their promise of better site functionality. Don’t be lured into thinking that this “treat” is always beneficial, even if it improves the user experience of your company website.
For instance, as an e-commerce company, despite a number of advantages elsewhere on your site, it’s a best practice to remove the third-party code from your checkout pages whenever possible. Many payment service providers have already taken this approach by prohibiting third-party code from running on pages where customers enter their payment information. The reason for this precaution? Magecart’s chilling skimming code.
A particularly problematic aspect of Magecart activities is due to a general lack of visibility into the code running on most e-commerce sites. Both website owners and customers alike are often unaware when the third party’s code on that checkout page into which they’re entering their payment information has been compromised with Magecart’s skimming code.
Here at RiskIQ, we’ve published four reports on the digital credit card-skimming activities of Magecart—mainly regarding significant breaches like Ticketmaster, British Airways, and Newegg.
In every publication, we noted that the six groups under Magecart have ramped up their operations, becoming more clever, and in many cases, sophisticated, with each attack.
Magecart groups are carrying out a full-scale assault on e-commerce and show zero signs of stopping. These attacks are only getting more and more traction as the groups learn how to become more effective.
At RiskIQ, we observe thousands of scam web pages in all forms—everything from fake pharmaceutical ads to phony prizes to false tech support and label them accordingly. In the mobile ecosystem, popular scams include ‘your device is running low!’, ‘you need to update your device!’ or ‘you need to install this antivirus to save your device!’ In one of these scams that surfaced in our data, we found a battery-saving app.
Surprisingly, this app that scam pages send users to carries out its advertised function. The drawback, however, is that it infects devices and steals data.
Many of the millions of scams we crawl at RiskIQ are relatively straightforward, but ever so often, we find something new. Typically, scams point to other web pages, but in this case, it redirects victims who click to Google Play, where they are served a malicious app. To get to the bottom of how the scam works from beginning to end, we pointed our investigative resources at it and outlined our findings below.
It all started with a fake warning for mobile devices:
The code on the scam page is standard—there are no apparent attempts at obfuscation or fingerprinting techniques. It even asks for the preferred language of the user.
With the language variable declared, the page then checks if the browser is using one of thirty-eight given ISO 639-1 language codes. If none of the language codes are present, the page defaults to an English-language message. Once the language setting is completed, the page renders the following pop-up:
If we hit the back button on the page, the page steps in with a pop-up warning the user that their device will remain slow.
When we click on the ‘install’ or ‘cancel’ buttons, we get sent to another server owned by the operators which forward us to the Google Play store.
We are taken to the Google Play page regardless of whether the code identifies us as a mobile or desktop user-agent, a catch-all approach which could suggest that a relatively unsophisticated group is behind the scam page.
The most alarming aspect is the permissions of the mobile app itself. Here are some of the more interesting ones:
As previously mentioned, interestingly, the app functions somewhat effectively:
Although the mobile app is functional and does its job, the user gets an undesired “bonus”– a small ad-clicking backdoor. The functionality of the ad-clicker is hidden with the rest of the battery saver code. While seemingly harmless, the ad-clicker also steals information from the phone, including phone numbers, phone type/brand/model, location, and more.
As mentioned earlier, RiskIQ has reported consistently since 2016 on the use of web-based card skimmers operated by the threat group Magecart. Traditionally, criminals use devices known as card skimmers—devices hidden within credit card readers on ATMs, fuel pumps, and other machines people pay for with credit cards every day.
Their core purpose is simple: to steal credit card data for the criminal to later collect and either use themselves or sell to other parties. Magecart uses a variety of these devices.
Magecart injects scripts designed to steal sensitive data that consumers enter into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites.
Recently, Magecart operatives placed one of these digital skimmers on Ticketmaster websites through the compromise of a third-party functionality resulting in a high-profile breach of Ticketmaster customer data. Based on recent evidence, Magecart has now set their sights on British Airways, the largest airline in the UK, as well as other potential targets.
Magecart attacks are surging—RiskIQ’s automatic detections of instances of Magecart breaches pings us almost hourly. Meanwhile, we’re seeing attackers evolve and improve over time, setting their sights on breaches of large brands. While some Magecart groups still target smaller shops, the subgroup responsible for the attacks against Newegg and British Airways is particularly audacious, performing cunning, highly targeted attacks with skimmers that seamlessly integrate into their targets’ websites.
With the holiday shopping season approaching, including Black Friday and Cyber Monday, we expect Magecart activity to jump even further. RiskIQ reported that Newegg, a company that sees a massive uptick in traffic over the Black Friday weekend, was breached with the skimmer staying on its checkout page for several days.
Some scams just don’t take no for an answer–literally!
Going beyond tricking users with flashy ads for fake products or prizes or scaring them into trying to download phony software with the goal of redirecting them elsewhere, some scammers go a step further—they don’t even let their victims leave their page.
While doing page reviews for RiskIQ’s scam model, we encountered some peculiar behavior.
Not requiring any input from the user, a print dialog box opened up that attempted to get the user to download the page as a PDF file, which was the system default. The PDF file that pops up came back clean in VirusTotal, but the method by which the file was delivered was unusual. This mechanism seems to be designed to add an extra layer of pop-ups without any additional functionality.
To accomplish the delivery, the threat actors behind this campaign utilized the window.print() method, as well as a series of alerting for loops. For the user, merely closing the print dialog box will only take them back to the same scam page—no amount of backing out will take them away from the page.
In addition to these obnoxious for-loop alerts, the user also gets swept into a stream of windows through a function called ‘openMultipleTabs,’ which opens multiple fun windows the user can interact with—another way of keeping visitors on the page. The source also uses a fairly common trick that replaces the window.history with the current page, so the ‘back’ button is rendered useless.
The last major item for this page was that it was looking for specific keyboard values. If any keys were pressed, the page would toggle to full screen, another factor making it more difficult for a user to leave.
With cryptocurrency mania in full swing, investors must now navigate an entirely new, rapidly expanding threat landscape. Coins, alt-coins, tokens, exchanges, and other cryptocurrency apps—both legitimate and malicious—pop up in the marketplace every day. ‘Get-rich-quick’ promises of cryptocurrency attract new users every day. Some of these apps are stood up to target users, while many become the target of hackers themselves.
RiskIQ observes cryptocurrency threat campaigns that show threat actors bank on the fact that, to many people, the concept of cryptocurrency is nebulous at best, but still seen as a viable way to make money. This widespread perception creates fertile ground for scammers, who take advantage by creating all manners of cryptocurrency fakery designed to fool people out of money.
Already, RiskIQ has detected and blacklisted dozens of fake cryptocurrency apps in the mobile app ecosystem that exploit the names of well-known exchanges and mixers, as well as hundreds of sites that falsely promise to make users money in other ways.
The site cryptcoins.biz, for example, has a glossy cryptocurrency veneer but resembles a common advance fee scheme. Users can purchase phony “coins,” marketed as various “cryptocurrencies” with real money (rubles) via Payeer, with the goal of being able to exchange them for a return on investment later. They can also earn them through “bonuses” rewarded for taking actions such as clicking on ads, visiting web pages, and recruiting new users.
However, the exchange rates for these coins to rubles are intentionally confusing and absurdly steep. To receive a payout via Payeer, users must first exchange their coins for “silver,” which they then exchange for rubles at a rate of 100 “coins” to 1 “silver,” and 100 “silver” to 1 ruble. This rate makes for a fantastic deal for the people who run the site, but it’s a shakedown for customers.
We’ve spoken at length about the dramatic pivot by threat actors toward the lucrative cryptocurrency landscape. With many of those with the means of mining cryptocoins striking it rich, the internet has become something of a modern boomtown, with everyone—both legitimate brands and threat actors alike—trying to stake their claim.
However, the primary challenge facing cryptocurrency prospectors is that mining requires an extreme level of computing power, which can be prohibitively expensive—Fundstrat reported that the cost of mining a single Bitcoin reached about $8,038, and the cost of mining other coins are not far behind.
To get around it, actors will siphon CPUs from unwitting users across the internet.
While some brands do capitalize by running cryptocurrency mining scripts in the background of their sites to leverage the computers of their visitors legally, threat actors hack vulnerable sites and insert miners that run surreptitiously or spin up fake, illegitimate websites to siphon money with typosquatting domains and fraudulent branding.
To leverage domains or subdomains that belong, or appear to belong, to major brands with the goal of tricking people into visiting their sites running cryptocurrency mining scripts, these threat actors take advantage of the fact that security teams lack visibility into all the ways that they can be attacked externally.
These teams also struggle to understand what belongs to their organization, how it’s connected to the rest of their asset inventory, and what potential vulnerabilities are exposed to compromise. RiskIQ reported back in February that an upwards of 50,000 total websites have been observed using Coinhive, the most popular cryptocoin, in the past year–many of them likely without the original owner’s knowledge.
Organizations must be able to inventory all the third-party code running on their web assets and be able to detect instances of threat actors leveraging their brand on their illegitimate sites around the Internet. Threat actors realize the lack of visibility these organizations have and are targeting it accordingly.
RiskIQ is a world leader in Digital Risk management. Take charge of your digital presence and combat threats to your organization. Contact us today to learn more about how can protect your organization. You can also check out our ‘Treat or Trick? Six Digital Threats Dressed up As Irresistible Treats’ infographic here.