Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
RiskIQ Digital Threat Management Platform Datasheet
Learn about our platform and products.
Read the Datasheet
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
December 4, 2018, Yonathan Klijnsma and Jordan Herman
Since we began reporting on online card skimming, we have noted consistent evolutions in modus operandi of the various Magecart groups, and even the Magecart phenomenon itself. The web-skimming ecosystem has exploded, spawning multiple groups that want a piece of the action, many of which we reported on in our recent report “Inside Magecart.”
Changes in the manifestations of the Magecart skimmers and the technical expertise of the actors behind them precipitate advances in tracking and detection of these groups and their activities by RiskIQ. This article dives into another example of how the ecosystem is maturing.
A recent attack by a group known as Magecart Group 11, which we did not cover in the Inside Magecart report, compromised several websites, and breaking from traditional Magecart MO, stole more than just payment data. This group was first observed in early 2016 and, despite a relatively small infrastructure compared to their colleagues, they have been able to compromise a large portion of websites.
On the 19th of November, Vision Direct UK, an online optical retailer released an advisory acknowledging a security incident: https://www.visiondirect.co.uk/customer-data-theft
Vision Direct’s timeline for the breach is November 3rd through the 8th. Once the advisory was released, public research identified the infrastructure involved in the attack, which showed that it was in fact Magecart-related. RiskIQ tracks and attributes this activity to Magecart skimming group 11. However, one thing missing from Vision Direct’s security notice is the broad range of their websites that were affected. The advisory noted that only VisionDirect.co.uk was affected, but the scale of the breach was much larger and expanded to their online retailing platform in seven countries, namely:
How were all of these sites affected simultaneously? First of all, an examination of each site shows that they share the same design template. Also, If you look up visiondirect.it in RiskIQ Community, you will see that it’s currently hosted on 18.104.22.168. It turns out, all of the Vision Direct websites are hosted on the same IP. By hitting this main server, Group 11 was able to compromise each site at the same time:
Fig-1 Vision Direct sites resolving to the compromised server
Magecart is a term for a mode of operation that focuses on skimming card data from payment websites, but the technique can be used to steal data that is unrelated to payment processing. While Group 11’s skimmer isn’t any different than those of other groups, the way they use it is.
Group 11’s skimmer has added some capabilities that also steal credentials or essential information from administrators. The URL path filtering, typically used to ensure a skimmer is operating on a payment page only, includes keywords that indicate targeting of other pages including login and administrative pages. As an example, here is an injection on the Dutch Vision Direct website:
Fig-2 Magecart injection
Here is a cleaned up skimmer from g-analytics.com/libs/1.0.16/analytics.js
Fig-3 Cleaned-up skimmer code
In the past, we explained this was used to filter down the pages to make sure only payment forms were being skimmed. However, Group 11 added a few additional keywords: admin, account, login, password, which allow them to also skim information from pages containing those keywords. This means the skimmed data will include credentials of site-users as well as possible administrators performing operations on the restricted administrative section of the website.
This change in keyword filtering is a new development, but we aren’t surprised to see it. Web-skimming has many merits for threat actors and can be used for many things. Stealing credentials is something we expected to see much earlier but it seems to have only just now hit this group’s operational side.
RiskIQ’s network of web crawlers, which crawls more than two billion web pages a day, views and interacts with websites from the perspective of a user. It’s this unique perspective that allows us to detect web-based attacks like Magecart while no one else can.
While the following indicators do not cover the entire operation of Group 11, it does cover those associated with the Vision Direct breach as well as initial pivoting on that infrastructure:
RiskIQ Community Project: Magecart Group 11