In Latest Magecart Evolution, Group 11 Stole More Than Just Card Data From Vision Direct


December 4, 2018, Yonathan Klijnsma and Jordan Herman

Since we began reporting on online card skimming, we have noted consistent evolutions in modus operandi of the various Magecart groups, and even the Magecart phenomenon itself. The web-skimming ecosystem has exploded, spawning multiple groups that want a piece of the action, many of which we reported on in our recent report “Inside Magecart.”  

Changes in the manifestations of the Magecart skimmers and the technical expertise of the actors behind them precipitate advances in tracking and detection of these groups and their activities by RiskIQ. This article dives into another example of how the ecosystem is maturing.

A recent attack by a group known as Magecart Group 11, which we did not cover in the Inside Magecart report, compromised several websites, and breaking from traditional Magecart MO, stole more than just payment data. This group was first observed in early 2016 and, despite a relatively small infrastructure compared to their colleagues, they have been able to compromise a large portion of websites.

Vision Direct

On the 19th of November, Vision Direct UK, an online optical retailer released an advisory acknowledging a security incident: https://www.visiondirect.co.uk/customer-data-theft

Vision Direct’s timeline for the breach is November 3rd through the 8th. Once the advisory was released, public research identified the infrastructure involved in the attack, which showed that it was in fact Magecart-related. RiskIQ tracks and attributes this activity to Magecart skimming group 11. However, one thing missing from Vision Direct’s security notice is the broad range of their websites that were affected. The advisory noted that only VisionDirect.co.uk was affected, but the scale of the breach was much larger and expanded to their online retailing platform in seven countries, namely:

  • Italy visiondirect.it
  • Spain visiondirect.es
  • Ireland visiondirect.ie
  • France visiondirect.fr
  • Belgium visiondirect.be
  • The Netherlands visiondirect.nl
  • The United Kingdom visiondirect.co.uk

How were all of these sites affected simultaneously? First of all, an examination of each site shows that they share the same design template. Also, If you look up visiondirect.it in RiskIQ Community, you will see that it’s currently hosted on 34.246.154.161. It turns out, all of the Vision Direct websites are hosted on the same IP. By hitting this main server, Group 11 was able to compromise each site at the same time:

Fig-1 Vision Direct sites resolving to the compromised server

Source: https://community.riskiq.com/search/34.246.154.161

Skimming Beyond Payment Data

Magecart is a term for a mode of operation that focuses on skimming card data from payment websites, but the technique can be used to steal data that is unrelated to payment processing. While Group 11’s skimmer isn’t any different than those of other groups, the way they use it is.

Group 11’s skimmer has added some capabilities that also steal credentials or essential information from administrators. The URL path filtering, typically used to ensure a skimmer is operating on a payment page only, includes keywords that indicate targeting of other pages including login and administrative pages. As an example, here is an injection on the Dutch Vision Direct website:

Fig-2 Magecart injection

Here is a cleaned up skimmer from g-analytics.com/libs/1.0.16/analytics.js

Fig-3 Cleaned-up skimmer code


This is a small section of the skimmer, which is about 75 lines of JavaScript in its clean, non-obfuscated form. This section specifically checks the location of the current page on which the skimmer is loaded.

In the past, we explained this was used to filter down the pages to make sure only payment forms were being skimmed. However, Group 11 added a few additional keywords: admin, account, login, password, which allow them to also skim information from pages containing those keywords. This means the skimmed data will include credentials of site-users as well as possible administrators performing operations on the restricted administrative section of the website.

This change in keyword filtering is a new development, but we aren’t surprised to see it. Web-skimming has many merits for threat actors and can be used for many things. Stealing credentials is something we expected to see much earlier but it seems to have only just now hit this group’s operational side.

A Unique Solution for a Unique Threat

RiskIQ’s network of web crawlers, which crawls more than two billion web pages a day, views and interacts with websites from the perspective of a user. It’s this unique perspective that allows us to detect web-based attacks like Magecart while no one else can.

When crawling a page, RiskIQ maps its structure and breaks it down to its smallest elements. This data is captured and stored in our massive databases to provide a point-in-time snapshot of how a page appears and functions, including its javascript. With this reference, we can observe changes, such as the addition of a Magecart skimmer, as they happen. It’s this proprietary historical data that allowed us to amend the official timeline of the Ticketmaster attack and prove that the Magecart skimmer was live on Newegg’s website for over a month.

Our researchers direct RiskIQ’s crawlers with custom detection policies they write while hunting for Magecart and taking note of their skimmers’ unique Javascript signatures. From the petabytes of data these crawls collect, RiskIQ builds out static indexes including passive DNS, SSL certificates, host pairs (redirects), and web components. Pivoting on these data sets allows us to uncover Magecart’s tactics and identify victims. For example, our Components data set shows us all the sites running a third-party analytics script compromised by Magecart, and our Host Pairs dataset shows relationships between websites running the Magecart skimmer.

Indicators of Compromise

While the following indicators do not cover the entire operation of Group 11, it does cover those associated with the Vision Direct breach as well as initial pivoting on that infrastructure:

RiskIQ Community Project: Magecart Group 11

Share: