Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
2018 Holiday Shopping Season Threat Activity: A Snapshot
The 2018 holiday shopping season was the largest ever for online retailers, but threat actors filled their pockets, too.
So what did the threat activity around this shopping frenzy look like?
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
In November of 2018, we published the cornerstone report “Inside Magecart,” in which we disclosed the existence of seven distinct Magecart groups and described in detail their operations and the different ways they skim payment information. Since then, we’ve detailed even more groups, such as Group 11 and Group 12.
After our researchers surface more Magecart instances in RiskIQ’s automated detection, attribution is usually the final step in our analysis. However, we also spend a lot of time keeping up with each group and how it evolves. In this article, we’ll get back to a group we covered in the “Inside Magecart” report: Magecart Group 4.
We shed a big, bright light on Magecart Group 4’s operation and in the process described how their skimming attacks worked. However, more importantly, we took down crucial parts of their infrastructure. By taking down this infrastructure, we forced them to change their tactics and rebuild everything. Fortunately, this did not affect our ability to track them.
Magecart Group 4 has registered close to a hundred new domains and set up a large pool of servers with which to route these domains and supply victimized websites with skimmers. When we described Magecart Group 4 in the Inside Magecart report, we noted them as one of the most advanced groups we’ve encountered given their rich history in the e-crime ecosystem. This has proven to be even more true with their actions since:
The group only puts a maximum of five domains on one IP address and makes sure these don’t route to any other IPs that could cause overlap with any domains outside that group.
We explained that Magecart Group 4 used the jQuery mask library as a coverup when a visitor was not on the payment page as not to leak their skimmer until it was needed. Now, they no longer rely on just the one library and have added a multitude of different benign libraries.
Previous Magecart Group 4 infrastructure was fixed on bulletproof hosters or hosters that often turn a blind eye to illegal activities on their infrastructure. In their renewed operation, Magecart Group 4 moved its infrastructure around a bit. They’ve incorporated pools of approximately ten sequential IPs at five different hosters in an attempt to reduce the risk of server takedowns.
Just as it’s our job to protect our customers, it’s Magecart Group 4’s job to maximize their income with web-based skimming. Likewise, just like we’re professionals in cybersecurity, they’re professionals in cybercrime. We may not hold their ‘job’ in high regard, but Magecart Group 4 is an advanced group of professional criminals and a dangerous adversary.
Magecart Group 4’s tactic of pooling of domains, which we mentioned above, is just one example of this professionalism. The group’s typical setup used to be a mash-up of domains randomly spread across IP address. Now, they’re pooling a maximum of five domains on a single IP address, which looks like this:
The domains associated with Magecart Group 4’s skimming operation are simply proxies pointing towards a large internal network. After applying some initial filtering, these proxies upstream skimmer requests towards a backend that provides the skimmer script (or benign script when a visitor isn’t performing a payment).
This type of infrastructure is unlike that used by other Magecart groups operating in the wild. Many of these groups rely on “kits” that are a combination of PHP and MySQL-based backends. With these, the same server that obtains the stolen data also functions as the source of the skimming code and includes a backend for the Magecart operators to log in to see their earnings. However, Magecart Group 4 has advanced far beyond skimming kits to developing their own organizational skimming infrastructure.
Magecart Group 4 not only updated their infrastructure, but they also spent time updating key elements of their skimmer. We won’t go through the entire skimmer but will break down the important parts that changed.
One thing to note is that Magecart Group 4 actively updates their skimmer code. RiskIQ sees legacy elements of the old skimmer in the new skimmer, but this old functionality is entirely unused. Additionally, certain features in the skimmer are enabled with feature flags; the skimmer that is used in their live operation has “new” features turned off by default. This gives a sense of Q&A for Magecart Group 4.
The previous version of Magecart Group 4’s skimmer wasn’t actually a skimmer—it was an overlay payment phishing system. However, in the updated version, they are skimming existing payment forms instead of building up their own payment forms. Magecart Group 4’s skimmer now goes through page forms and pulls out the payment data, which significantly reduced the skimmer from over 1,500 lines of code to a little over 150 lines.
Magecart Group 4’s new skimmer also adds one more event listener to hook into the process of the payment-completion process. Usually, this involves a ‘submit button’ of some kind, but In this case, they hook the keyboard key-events and search for usage of the return/enter key. This is just one more option they added to the skimmer with a feature flag which, until now, we have only seen turned off, which likely indicates Magecart Group 4 is still experimenting with it.
Previously the exfiltration URL used by the Magecart Group 4 skimmers was a concatenation of: <website scheme>://<exfil domain>/<checkout path of victim website>/saveOrder.The new method of exfiltration is more simplified:
(.jpg file path)
The data the skimmer infiltrates was just base64 encoded previously, but in the new version, they make use of RSA public/private key cryptography. The skimmer now has a hardcoded public key:
—–BEGIN PUBLIC KEY—–
—–END PUBLIC KEY—–
This key is used with the JSEncrypt library to encrypt the skimmed data. The encrypted data is then encoded with base64 and added with URL parameters:
As with our previous reporting, we have taken up the help of ShadowServer and AbuseCH to perform takedowns and sinkholing of the Magecart Group 4 infrastructure we disclose with this report. Their continued efforts in taking down this malicious infrastructure are highly appreciated as always!
With this update on Magecart Group 4, we are also providing the infrastructure that has been set up since our publication of “Inside Magecart.” The following RiskIQ Community project contains just the domains:
As we explained briefly, the infrastructure for Magecart Group 4 is a proxy-based network with the domains we provided being the contact point for proxies. The domains themselves are of higher value than the IP addresses as they simply pool and swap those around quickly. For this reason, we did not put the IP addresses in the RiskIQ Community Project. However, we will share them below for those interested in investigating this more.
The IP addresses we provided are clear sequenced hosts. While some numbers in the sequences are missing we do have high confidence these missing sequence IP addresses are also owned by Magecart Group 4; we just haven’t seen a skimming domain resolve to it. Here is a list of the confirmed IP addresses hosting the skimming infrastructure from Magecart Group 4 since November 2018 after our reporting:
The #Magecart supply-chain attack frenzy continues with AppLixir, RYVIU, OmniKick, eGain, AdMaxim, CloudCMS, and Picreel falling victim https://t.co/b7UWqL2PzW #BrowserThreats
Regarding Forbes: the skimmer was customized for Forbes, it wasn't an automated attack. Here's the rest of the infrastructure (not just for Forbes) they've been setting it up since January:
Fascinating learning about the cyber attacker's playbook from Yonathan Klijnsma: step 1: gain entry. 2. more reconnaissance 3. Theft, then profit #transportsecurity #TSC
Today at the #TransportSecurityCongress, RiskIQ's
@ydklijnsma spoke about the #Magecart breach of British Airways, which you can read more about here: https://t.co/cPqEqVVllj (Photo credit @SmartRailNews)
Context is everything! Here's how using Tags and Classifications in @RiskIQ PassiveTotal can get your team aligned and supercharge your investigations https://t.co/Wk5OfBZPu2 #ThreatHunting