Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Since we began reporting on online card skimming, we have noted consistent evolutions in modus operandi of the various Magecart groups, and even the Magecart phenomenon itself. The web-skimming ecosystem has exploded, spawning multiple groups that want a piece of the action, many of which we reported on in our recent report “Inside Magecart.”
Changes in the manifestations of the Magecart skimmers and the technical expertise of the actors behind them precipitate advances in tracking and detection of these groups and their activities by RiskIQ. This article dives into another example of how the ecosystem is maturing.
A recent cyber attack by a group known as Magecart Group 11, which we did not cover in the Inside Magecart report, compromised several websites, and breaking from traditional Magecart MO, stole more than just payment data. This group was first observed in early 2016 and, despite a relatively small infrastructure compared to their colleagues, they have been able to compromise a large portion of websites.
On the 19th of November, Vision Direct UK, an online optical retailer released an advisory acknowledging a security incident: https://www.visiondirect.co.uk/customer-data-theft
Vision Direct’s timeline for the breach is November 3rd through the 8th. Once the advisory was released, public research identified the infrastructure involved in the attack, which showed that it was in fact Magecart-related. RiskIQ tracks and attributes this activity to Magecart skimming group 11. However, one thing missing from Vision Direct’s security notice is the broad range of their websites that were affected. The advisory noted that only VisionDirect.co.uk was affected, but the scale of the breach was much larger and expanded to their online retailing platform in seven countries, namely:
How were all of these sites affected simultaneously? First of all, an examination of each site shows that they share the same design template. Also, If you look up visiondirect.it in RiskIQ Community, you will see that it’s currently hosted on 18.104.22.168. It turns out, all of the Vision Direct websites are hosted on the same IP. By hitting this main server, Group 11 was able to compromise each site at the same time:
Fig-1 Vision Direct sites resolving to the compromised server
Magecart is a term for a mode of operation that focuses on skimming card data from payment websites, but the technique can be used to steal data that is unrelated to payment processing. While Group 11’s skimmer isn’t any different than those of other groups, the way they use it is.
Group 11’s skimmer has added some capabilities that also steal credentials or essential information from administrators. The URL path filtering, typically used to ensure a skimmer is operating on a payment page only, includes keywords that indicate targeting of other pages including login and administrative pages. As an example, here is an injection on the Dutch Vision Direct website:
Fig-2 Magecart injection
Here is a cleaned up skimmer from g-analytics.com/libs/1.0.16/analytics.js
Fig-3 Cleaned-up skimmer code
In the past, we explained this was used to filter down the pages to make sure only payment forms were being skimmed. However, Group 11 added a few additional keywords: admin, account, login, password, which allow them to also skim information from pages containing those keywords. This means the skimmed data will include credentials of site-users as well as possible administrators performing operations on the restricted administrative section of the website.
This change in keyword filtering is a new development, but we aren’t surprised to see it. Web-skimming has many merits for threat actors and can be used for many things. Stealing credentials is something we expected to see much earlier but it seems to have only just now hit this group’s operational side.
RiskIQ’s network of web crawlers, which crawls more than two billion web pages a day, views and interacts with websites from the perspective of a user. It’s this unique perspective that allows us to detect web-based attacks like Magecart while no one else can.
While the following indicators do not cover the entire operation of Group 11, it does cover those associated with the Vision Direct breach as well as initial pivoting on that infrastructure:
RiskIQ Community Project: Magecart Group 11
We're #ThreatHunting in D.C.! The #infosec community is out in force to learn how to supercharge their investigations with RiskIQ's advanced data sets inside the @PassiveTotal platform.
Via @Forbes, RiskIQ research finds over 18,000 websites infested with #Magecart card-skimming #malware https://t.co/dKSfziG3dr #ecommerce
Just Launched! Adam Hunt of @riskIQ and Fredrik Nilsson of @axisipvideo discuss #cybersecurity, #IoT, and the threat of regulatory fines from #dataprivacy breaches on the latest Inside @ForbesCouncils #podcast! https://t.co/G0UoPfQCHf