Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
2018 Holiday Shopping Season Threat Activity: A Snapshot
The 2018 holiday shopping season was the largest ever for online retailers, but threat actors filled their pockets, too.
So what did the threat activity around this shopping frenzy look like?
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
Magecart is back, and the operation is more elaborate than we thought, involving physical shipping companies with mules operating in the United States.
Credit card data is a hot commodity in the criminal underworld of the internet—stolen card data is readily available, and used to fund criminal enterprises of all kinds. But scammers, rippers, and carders aren’t the only ones in on the action—the data has to be stolen in the first place.
This stolen data can be packaged and sold as CVV dumps, on websites where transactions involving stolen credit card data take place. In a recent Krebs on Security blog post, which ties Magecart infrastructure listed in our original report to a credit card dump website known as “Trump’s Dumps,” we caught a glimpse of how those behind Magecart are monetizing their operations.
By pivoting on a domain related to known Magecart activity in RiskIQ PassiveTotal, the team found that the server behind its IP address, currently used for the injects of the Magecart script, also links to a domain for a reshipping company website falsely advertised as a freight/logistics provider, USLOGISTICEXPRESS.COM.
Fig-1 Pivoting on 22.214.171.124 in PassiveTotal
Fig-2 HTTP default virtual host on 126.96.36.199 exposes uslogisticexpress.com
If we look at this fake company name, we can find a registration of it online:
Fig-3 Company profile of “logistics provider” International Express (uslogisticexpress.com)
Via false employment ads on Russian job websites for U.S.-based job seekers, mules are recruited under the pretense of “transport agents,” tasked with receiving shipments of electronics and other goods bought with stolen credit cards to ship to an address in Eastern Europe. This technique is similar to more traditional schemes involving money mules, but rather than a direct transfer of funds, the actors behind Magecart transfer funds into higher priced goods, which can be shipped across borders without suspicion, then sold for a hefty profit.
Below is a very obvious reshipping request for U.S.-based residents to help out as mules. Both of the adverts were put up on websites advertising jobs for U.S. and Russian employees and employers:
Fig-4 English language job posting for a transport agent on Russian/American news site
Online stores remain one of the easiest ways to capture payment card data, so we don’t anticipate threats like this to go away anytime soon. A lack of overall protection on many online stores and the level of ease by which criminals may gain access to vulnerable web applications lead to successful fraud operations like Magecart, supporting our belief that attackers are attempting to capitalize on this period before additional safeguards can be enacted in the ecosystem to heavily target online stores.
Visit the Magecart Public Project in RiskIQ PassiveTotal to pivot on IOCs related to this threat.
Questions? Feedback? Email email@example.com to contact our research team.
RiskIQ PassiveTotal has data sets found nowhere else that can take investigations to the next level. Register for our next PT Thursday Webinar to learn how to use our #MarkOfTheWeb data set to track phish https://t.co/BzPDkWmY79 #phishing #ThreatHunting
VIA Adam Hunt @RiskIQ
Closing the gap between Innovation & Security
More 👉 https://t.co/1PROm7LEEx
@ChuckDBrooks @mclynd @digitalcloudgal @fogle_shane @TmanSpeaks @antgrasso @HaroldSinnott @DrJDrooghaag @AlaricAloor @sbmeunier @cybersecboardrm @gvalan @edingle
Webcast: Learn how #webskimming attacks work and what organizations can do to protect themselves with @RiskIQ | 4/18 @ 3:30PM ET | https://t.co/1Qe36D9NW1
Today is the deadline to file your taxes, but threat actors didn’t procrastinate. Download @RiskIQ’s 2019 #TaxSeason Threat Roundup for data and analysis around the threat landscape facing taxpayers this year https://t.co/ALAepevk15 #phishing #mobilethreats
Tax Hacks: How Seasonal Scams Cause Yearlong Problems https://t.co/QuqeibM9Xl by @kellymsheridan #taxday #taxtips #fraud #cybercrime