Labs Magecart

In Latest Magecart Evolution, Group 11 Stole More Than Just Card Data From Vision Direct

Since we began reporting on online card skimming, we have noted consistent evolutions in modus operandi of the various Magecart groups, and even the Magecart phenomenon itself. The web-skimming ecosystem has exploded, spawning multiple groups that want a piece of the action, many of which we reported on in our recent report “Inside Magecart.”  

Changes in the manifestations of the Magecart skimmers and the technical expertise of the actors behind them precipitate advances in tracking and detection of these groups and their activities by RiskIQ. This article dives into another example of how the ecosystem is maturing.

A recent cyber attack by a group known as Magecart Group 11, which we did not cover in the Inside Magecart report, compromised several websites, and breaking from traditional Magecart MO, stole more than just payment data. This group was first observed in early 2016 and, despite a relatively small infrastructure compared to their colleagues, they have been able to compromise a large portion of websites.

Vision Direct

Continue Reading

The Magecart Seal of Approval: Cybercriminal Card-Skimming Group Executes Scaled Supply Chain Attack on Shopper Approved

Over the past several months, we’ve published four reports on the digital credit card-skimming activities of Magecart—mainly regarding significant breaches like Ticketmaster, British Airways, and Newegg. In every publication, we noted that the six groups under Magecart have ramped up their operations, becoming more clever, and in many cases, sophisticated, with each attack.

However, a particularly problematic aspect of Magecart activities is that due to a general lack of visibility into the code running on most e-commerce sites, site owners and consumers are generally unaware when the third party’s code on that checkout page into which they’re entering their payment information has been compromised with Magecart’s skimming code.

In this blog, we’re disclosing what could have been another sizable Magecart attack against Shopper Approved, a customer rating plugin that integrates with thousands of e-commerce sites, had it not been for a few recent industry trends and fast detection and notification by RiskIQ. Below, we’ll provide analysis of this new attack and provide detail of when the Magecart attackers added the skimmer, where they added it, and the scope of affected websites.


Similar to the attack against Ticketmaster, this attack did not impact a single store directly. Instead, it attempted to skim payment information from multiple online stores at once by compromising a widely used third party. In this case, the actors compromised Shopper Approved, an organization that provides rating seals for online stores.

Continue Reading
Labs Magecart

Another Victim of the Magecart Assault Emerges: Newegg

RiskIQ conducted the research for this report in collaboration with Volexity, which will release a separate report of its own. From different perspectives, we will discuss the same incident, showing how we found and analyzed the latest instance of Magecart using our unique capabilities and datasets.

While the dust is settling on the British Airways compromise, the Magecart actor behind it has not stopped their work, hitting yet another large merchant: Newegg.

Last week we published details on the British Airways compromise immediately after the company made its first advisory public linking the breach of customer credit card information to Magecart. We were able to disclose these details based on our years of tracking the activities and infrastructure of the umbrella of Magecart groups performing digital credit card skimming campaigns. The British Airways cyber attack was highly targeted and done via a tactic we’d seen evolving through the years.

The report on the British Airways cyber attack came shortly after our discovery that Magecart was also behind the breach of Ticketmaster. As we built the narrative, it’s becoming clear to the industry that these simple yet clever cyber attacks are not only devastating, they’re becoming more and more prevalent. Newegg is just the latest victim.

The breach of Newegg shows the true extent of Magecart operators’ reach. These cyber attacks are not confined to certain geolocations or specific industries—any organization that processes payments online is a target. The elements of the British Airways cyber attacks were all present in the cyber attack on Newegg: they integrated with the victim’s payment system and blended with the infrastructure, staying there as long as possible.

Continue Reading

Bacloud: Russia’s New Misinformation Safe Haven

It was revealed last week that Microsoft took action to stop a phishing operation by Fancy Bear (aka APT28), a cyberespionage group associated with Russian intelligence. The company’s Digital Crimes Unit executed a court order to take control of and sinkhole six domains created by the hacking group ostensibly in preparation for launching phishing attacks against the International Republican Institute (IRI) and The Hudson Institute, both conservative think tanks that have been critical of the Russian state and Vladimir Putin. The board of the IRI includes several Republican senators, General H.R. McMaster, and Mitt Romney.

The phishing domains are listed here:

  • my-iri[.]org
  • senate[.]group
Continue Reading
External Threat Management Labs Magecart

Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims

On September 6th, British Airways announced it had suffered a breach resulting in the theft of customer data. In interviews with the BBC, the company noted that around 380,000 customers could have been affected and that the stolen information included personal and payment information but not passport information.

On its website, British Airways placed an article explaining details of the incident that answered as many questions as possible for customers. The technical details were sparse but included the following pieces of information:

  • Payments through its main website were affected
Continue Reading
Labs Analyst

MarkOfTheWeb: How a Forgetful Russian Agent Left a Trail of Breadcrumbs

MarkOfTheWeb: A Calling Card for Careless Russian Agents

Digital interference from the Russian Federation is nothing new. Their virtual trespassing efforts have been outed and heavily discussed in the news—even more so in recent months (as you've probably noticed). Russian digital incursion into the United States political climate allows them to adjust the direction of discourse and push buttons when and where needed to help achieve a desirable outcome for the Kremlin. To carry out these active measures, the Russian state relies not only on agents and spies who do physical work but also those who operate digitally.

Luckily, not all Russian digital agents are as smooth as James Bond. Sometimes, they slip up and leave traces of their origins. One such slip up occurred recently. In August 2017, the staff lead of Missouri Democratic Senator Claire McCaskill was spear-phished by the digital arm of the Russian state in an attempt that resembled the infamous attacks against John Podesta and Colin Powell.

By downloading a login page directly from the internet, the agent attempted to fool the high-ranking staffer into giving up his credentials. However, unfortunately for our hapless Russian agent, the phishing page they spun up included more information than intended. With the breadcrumbs they left behind, we were able to tap into RiskIQ’s repository of internet data to trace the origin of the agent and uncover other targets, which gave us clues about their motives, which, suspiciously, seem to align with those of Russia.

Following Breadcrumbs to the Kremlin

Continue Reading
External Threat Management Labs Magecart

Inside and Beyond Ticketmaster: The Many Breaches of Magecart

On June 27th, Ticketmaster, a ticket sales and distribution company, made public they had been compromised and that hackers stole customer information. However, we discovered that this was not a one-off event as initially reported, but part of a massive digital credit card-skimming campaign by the threat group Magecart affecting over 800 e-commerce sites around the world.

The target for Magecart actors was the payment information entered into forms on Ticketmaster’s various websites. The method was hacking third-party components shared by many of the most frequented e-commerce sites in the world.


Card skimmers are devices criminals hide within credit card readers on ATMs, fuel pumps, and other machines people pay for with credit cards every day. These devices steal credit card data for the criminal to later collect and either use themselves or sell to other parties. Since 2016, RiskIQ has reported on the rise of card skimmers of the digital variety operated by the threat group Magecart that use scripts injected into websites to steal data that’s entered into online payment forms on e-commerce sites. Hackers placed one of these digital skimmers on Ticketmaster websites through the compromise of a third-party functionality supplier known as Inbenta.

In this article, we’ll give our comprehensive insights into the events around the Ticketmaster breach. Magecart, the criminal group that performed this cyber attack, are well known to us. We have had an eye on them since 2015, and their cyber attacks have been ramping up in frequency and impact over the years. Our investigation following the Inbenta breach uncovered evidence that the Inbenta cyber attack was not a one-off, but instead indicative of a change in strategy by Magecart from focusing on piecemeal compromises to targeting third-party providers like Inbenta to perform more widespread compromises of card data.

Continue Reading
Labs Analyst

New Attacks on Mew: Phishing MyEtherWallet Via Native Web Views on Android

Last week, we published an extensive report on MEWKit, a phishing ATS targeting visitors of MyEtherWallet (MEW) in elaborate ways—including resorting to a BGP hijack. But threats to users of MyEtherWallet aren’t a new thing by any means—phishing pages targeting the cryptocurrency platform, while not as sophisticated as MEWKit, have been going around for a very long time. In this blog, we’ll discuss another technique we’ve seen actors using in attacks against MyEtherWallet users to fool them out of their Ethereum wallet credentials.

The Lure

Cybercriminals are always thinking of new methods by which to perform their attacks. In the case of phishing, they come up with innovative ways of convincing victims that their website or, in this case, mobile app, is legitimate. New attacks leveraging MyEtherWallet are using messages on social media and posts on forums to spread illegitimate clones of the MyEtherWallet site, which is not a new tactic in and of itself, but something that has never been seen targeting MyEtherWallet users. In this attack, an actor sets up a fake Telegram group, supposedly for MyEtherWallet and its support team, to spread false messages. In fact, searching for MyEtherWallet on Telegram would surface a group with over nine thousand subscribers:

We'll discuss another technique we’ve seen actors using in attacks against MyEtherWallet users to fool them out of their Ethereum wallet credentials.

Fig-1 The actor-created Telegram group

The operator of this group forwarded the tweets sent from the official MyEtherWallet twitter account to the group, with one additional message—that there's a new MyEtherWallet client for Android. The general messaging in the group looked like this:

Continue Reading
Labs Interesting Crawls

This is How Threat Actors Overwhelm the Defenses of Ad Networks

Also by Ian Cowger

Traffic is a vital commodity in the cybercrime ecosystem that enables criminals to monetize their campaigns in various ways, whether by hijacking traffic from ad networks, carrying out phishing attacks, distributing malware to vulnerable computers, or sending victims to far-reaching networks of scam sites.  

Many attackers protect this source of revenue by utilizing traffic and device filtering techniques to block out security researchers and optimize the type of traffic they get. In this post, we'll examine a tactic we see more and more in the wild—obfuscated code on pages that redirect users to malicious pages. We’ll also take a look at why scam networks that burn through huge swathes of cheap, disposable infrastructure are a destination of choice for traffic captured by these campaigns.

The redirector below, which we call CaesarV after its use of a Caesar cipher to obfuscate code on its pages that cause redirection, is, in this case, sending traffic to what RiskiQ's models identified as fake tech support pages.

Where does this traffic come from?

Continue Reading