Since we began reporting on online card skimming, we have noted consistent evolutions in modus operandi of the various Magecart groups, and even the Magecart phenomenon itself. The web-skimming ecosystem has exploded, spawning multiple groups that want a piece of the action, many of which we reported on in our recent report “Inside Magecart.”
Changes in the manifestations of the Magecart skimmers and the technical expertise of the actors behind them precipitate advances in tracking and detection of these groups and their activities by RiskIQ. This article dives into another example of how the ecosystem is maturing.
A recent cyber attack by a group known as Magecart Group 11, which we did not cover in the Inside Magecart report, compromised several websites, and breaking from traditional Magecart MO, stole more than just payment data. This group was first observed in early 2016 and, despite a relatively small infrastructure compared to their colleagues, they have been able to compromise a large portion of websites.
On the 19th of November, Vision Direct UK, an online optical retailer released an advisory acknowledging a security incident: https://www.visiondirect.co.uk/customer-data-theft
Vision Direct’s timeline for the breach is November 3rd through the 8th. Once the advisory was released, public research identified the infrastructure involved in the attack, which showed that it was in fact Magecart-related. RiskIQ tracks and attributes this activity to Magecart skimming group 11. However, one thing missing from Vision Direct’s security notice is the broad range of their websites that were affected. The advisory noted that only VisionDirect.co.uk was affected, but the scale of the breach was much larger and expanded to their online retailing platform in seven countries, namely:
- Italy - visiondirect.it
- Spain - visiondirect.es
- Ireland - visiondirect.ie
- France - visiondirect.fr
- Belgium - visiondirect.be
- The Netherlands - visiondirect.nl
- The United Kingdom - visiondirect.co.uk
How were all of these sites affected simultaneously? First of all, an examination of each site shows that they share the same design template. Also, If you look up visiondirect.it in RiskIQ Community, you will see that it’s currently hosted on 18.104.22.168. It turns out, all of the Vision Direct websites are hosted on the same IP. By hitting this main server, Group 11 was able to compromise each site at the same time:
Skimming Beyond Payment Data
Magecart is a term for a mode of operation that focuses on skimming card data from payment websites, but the technique can be used to steal data that is unrelated to payment processing. While Group 11’s skimmer isn’t any different than those of other groups, the way they use it is.
Group 11’s skimmer has added some capabilities that also steal credentials or essential information from administrators. The URL path filtering, typically used to ensure a skimmer is operating on a payment page only, includes keywords that indicate targeting of other pages including login and administrative pages. As an example, here is an injection on the Dutch Vision Direct website:
Here is a cleaned up skimmer from g-analytics.com/libs/1.0.16/analytics.js
In the past, we explained this was used to filter down the pages to make sure only payment forms were being skimmed. However, Group 11 added a few additional keywords: admin, account, login, password, which allow them to also skim information from pages containing those keywords. This means the skimmed data will include credentials of site-users as well as possible administrators performing operations on the restricted administrative section of the website.
This change in keyword filtering is a new development, but we aren’t surprised to see it. Web-skimming has many merits for threat actors and can be used for many things. Stealing credentials is something we expected to see much earlier but it seems to have only just now hit this group’s operational side.
A Unique Solution for a Unique Threat
RiskIQ's network of web crawlers, which crawls more than two billion web pages a day, views and interacts with websites from the perspective of a user. It's this unique perspective that allows us to detect web-based attacks like Magecart while no one else can.
Indicators of Compromise
While the following indicators do not cover the entire operation of Group 11, it does cover those associated with the Vision Direct breach as well as initial pivoting on that infrastructure: