Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
2018 Holiday Shopping Season Threat Activity: A Snapshot
The 2018 holiday shopping season was the largest ever for online retailers, but threat actors filled their pockets, too.
So what did the threat activity around this shopping frenzy look like?
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
Since we began reporting on online card skimming, we have noted consistent evolutions in modus operandi of the various Magecart groups, and even the Magecart phenomenon itself. The web-skimming ecosystem has exploded, spawning multiple groups that want a piece of the action, many of which we reported on in our recent report “Inside Magecart.”
Changes in the manifestations of the Magecart skimmers and the technical expertise of the actors behind them precipitate advances in tracking and detection of these groups and their activities by RiskIQ. This article dives into another example of how the ecosystem is maturing.
A recent cyber attack by a group known as Magecart Group 11, which we did not cover in the Inside Magecart report, compromised several websites, and breaking from traditional Magecart MO, stole more than just payment data. This group was first observed in early 2016 and, despite a relatively small infrastructure compared to their colleagues, they have been able to compromise a large portion of websites.
On the 19th of November, Vision Direct UK, an online optical retailer released an advisory acknowledging a security incident: https://www.visiondirect.co.uk/customer-data-theft
Vision Direct’s timeline for the breach is November 3rd through the 8th. Once the advisory was released, public research identified the infrastructure involved in the attack, which showed that it was in fact Magecart-related. RiskIQ tracks and attributes this activity to Magecart skimming group 11. However, one thing missing from Vision Direct’s security notice is the broad range of their websites that were affected. The advisory noted that only VisionDirect.co.uk was affected, but the scale of the breach was much larger and expanded to their online retailing platform in seven countries, namely:
How were all of these sites affected simultaneously? First of all, an examination of each site shows that they share the same design template. Also, If you look up visiondirect.it in RiskIQ Community, you will see that it’s currently hosted on 126.96.36.199. It turns out, all of the Vision Direct websites are hosted on the same IP. By hitting this main server, Group 11 was able to compromise each site at the same time:
Fig-1 Vision Direct sites resolving to the compromised server
Magecart is a term for a mode of operation that focuses on skimming card data from payment websites, but the technique can be used to steal data that is unrelated to payment processing. While Group 11’s skimmer isn’t any different than those of other groups, the way they use it is.
Group 11’s skimmer has added some capabilities that also steal credentials or essential information from administrators. The URL path filtering, typically used to ensure a skimmer is operating on a payment page only, includes keywords that indicate targeting of other pages including login and administrative pages. As an example, here is an injection on the Dutch Vision Direct website:
Fig-2 Magecart injection
Here is a cleaned up skimmer from g-analytics.com/libs/1.0.16/analytics.js
Fig-3 Cleaned-up skimmer code
In the past, we explained this was used to filter down the pages to make sure only payment forms were being skimmed. However, Group 11 added a few additional keywords: admin, account, login, password, which allow them to also skim information from pages containing those keywords. This means the skimmed data will include credentials of site-users as well as possible administrators performing operations on the restricted administrative section of the website.
This change in keyword filtering is a new development, but we aren’t surprised to see it. Web-skimming has many merits for threat actors and can be used for many things. Stealing credentials is something we expected to see much earlier but it seems to have only just now hit this group’s operational side.
RiskIQ’s network of web crawlers, which crawls more than two billion web pages a day, views and interacts with websites from the perspective of a user. It’s this unique perspective that allows us to detect web-based attacks like Magecart while no one else can.
While the following indicators do not cover the entire operation of Group 11, it does cover those associated with the Vision Direct breach as well as initial pivoting on that infrastructure:
RiskIQ Community Project: Magecart Group 11
Cyber-Risks Hiding Inside Mobile App Stores https://t.co/NeXSULKcb5 #mobile #mobileapp #googleplay #risk by @kellymsheridan
If you have a “c” in your title, you're a target both online and in the physical world. Here are 5 things to "know" about modern executive defense https://t.co/Nl3lrvEM7O
#PlayStore winning war on suspect apps https://t.co/Zw1yuLswXF
Blacklisted apps rise, antivirus apps prove more harm than good, and Google Play continues to set the trends. Download our Q1 Mobile Threat Landscape Report and 2018 review for a deep dive into the last 18 months of #MobileThreats: https://t.co/FipDUCA6wA
Check out my latest interview in Forensic Magazine: Cybercrime, Cybertargets, and Cybersecurity https://t.co/TNy7MhoUn2 @LauraMFrench @ForensicMag @RiskIQ #cybercrime #CyberSecurity #threathunting