Magecart Group 12’s Latest: Actors Behind Cyberattacks on Olympics Ticket Re-sellers Deftly Swapped Domains to Continue Campaign
February 07, 2020
A recent blog post by Jacob Pimental and Max Kersten highlighted Magecart activity targeting ticket re-selling websites for the 2020 Olympics and EUFA Euro 2020, olympictickets2020.com and eurotickets2020.com respectively. These sites were compromised by a skimmer using the domain opendoorcdn.com for data exfiltration. With RiskIQ data, our researchers built on the previous reporting to identify more skimming domains used by the attackers, as well as additional compromised sites. RiskIQ can also now attribute all these cyberattacks to Magecart Group 12.
The obfuscation and skimming code we observed on opendoorcdn.com matches that used by Magecart Group 12, whose skimmer and obfuscation techniques we analyzed in our blog posts, "New Year, Same Magecart: The Continuation of Web-based Supply Chain Attacks" and "Magento Attack: All Payment Platforms are Targets for Magecart Attacks." However, there are differences in the techniques employed by Group 12 in these more recent compromises, which we'll break down here.
In those blog posts, we noted that Group 12 employed base64 encoded checks against the URL looking for the word "checkout" to identify the proper page on which to load their skimmer code. This encoding masked both the check itself and the skimmer URL. Quoting from our May 1st, 2019 report:
November 26, 2019
RiskIQ continuously investigates incidents of digital crime as we observe them on the web. Monitoring changes to crime groups and the evolution of their tactics is essential to continue to detect them effectively and stay ahead of the bad guys. With Magecart, we followed the crime syndicate's first group and carefully analyzed its skimming code. As new Magecart groups materialized with unique code and tactics, we built on our Magecart base knowledge to get better and better at detecting Magecart and other forms of web skimming.
In this article, we will discuss our insights into a criminal group that maximizes their profit by working in two ecosystems that are typically distinct: phishing and web skimming. By leveraging a tactic with which they had tons of experience, phishing, they could double-dip into one with which they had less expertise, web skimming.
By combining tactics, this group was playing with a full deck when it came to stealing financial data—introducing Full(z) House.
Here, Malwarebytes published an article highlighting a small piece of this group's activity in card skimming.
October 16, 2019
LNKR is malware that uses browser extensions for Chrome to track browsing activities of users and overlay ads on legitimate sites. Using extensions to add code that executes in a user's browser is a common and lucrative monetization technique on the internet, where spyware, adware, and other browser-based nuisances have thrived since the early days.
Seeing the Cyber Threat
RiskIQ crawlers don't install extensions, but the data we collect from our global discovery platform gives us unique insight into the LNKR threat. We can use known LNKR command and control (C2) domains and our Host Pairs data set, to determine if there was any inventoried infrastructure making calls to these C2 domains
Host pairs are unique relationships between pages that are observed by RiskIQ when we crawl a web page. Each pair has a direction of child or parent and a cause that outlines the relationship connection. These values provide insight into redirection sequences, dependent requests, or specific actions within a web page when it loads. What makes this data set powerful is the ability to understand relationships between hosts based on details from visiting the actual page.
September 19, 2019
Old Magecart domains are finding new life in subsequent cyber threat campaigns, many of which are entirely unrelated to web skimming.
Here’s the catch: when these domains come back online, they retain their call-outs to malicious domains placed on breached websites by cyber attackers, which means they also retain their value to cyber threat actors. Bad guys are taking advantage of these domains coming back up for sale and purchasing them to be once again pressed into service for malicious purposes, whether that be more web skimming or for use in malvertising campaigns.
August 01, 2019
On July 26th, ThreatConnect published an analysis of a coordinated phishing attack against Bellingcat, an investigative journalism website that specializes in fact-checking and open-source intelligence. Known for their work investigating Russia, Bellingcat researchers were carefully chosen targets, as stated by Bellingcat’s Eliot Higgins on Twitter.
Highly focused, the phishing campaign targeted the digital security of only ten individuals, who have been identified by investigative journalist Christo Grozev. These include some researchers who do not work for Bellingcat but do investigate Russia.
ProtonMail, the email service used in the phishing attack, published a short statement, which included some fascinating details on the phishing attack from their perspective.
In this article, we’ll explore a different angle to this campaign by analyzing it from the unique outside-in perspective of RiskIQ. RiskIQ data reveals multiple phishing campaigns involving different tactics beyond the analysis by ThreatConnect.
July 11, 2019
On May 14th, RiskIQ covered the latest mass compromise of third-party web suppliers by a Magecart group. This initial report focused on seven of these suppliers, the scripts of which were injected with skimmer code, which possibly affected several thousand websites using their services.
However, the actual scale of this campaign and the number of sites affected is much larger than previously reported. The actors behind these compromises have automated the process of compromising websites with skimmers by actively scanning for misconfigured Amazon S3 buckets. These buckets are un-secure because they are misconfigured, which allows anyone with an Amazon Web Services account to read or write content to them.
RiskIQ has been monitoring the compromise of S3 buckets since the beginning of the campaign, which started in early April 2019. We’ve been working with Amazon and affected parties to address Magecart injections and misconfigured S3 buckets as we observe them.
We wrote the following article to raise awareness around the security policies for Amazon S3 as well as web-skimming attacks in general.
Discovery of Misconfigured Bucket
Magecart Supply-chain Frenzy Continues With AppLixir, RYVIU, OmniKick, eGain, AdMaxim, CloudCMS & Picreel
May 15, 2019
Last weekend, security researchers surfaced new supply-chain attacks involving Magecart web-skimmers placed on several web-based suppliers, including AdMaxim, CloudCMS, and Picreel. The breaches were part of a large-scale attack that hit a breadth of providers simultaneously intending to access as many websites as possible.
Web-based supply-chain attacks, which compromise vendors that supply code that adds or improves website functionality, gives attackers access to a wide range of victims at once because the compromised code often integrates with thousands of sites. In this blog, we'll break down the Magecart skimming activity on these seven providers and detail when and how the compromises occurred, including how some of them could have been far worse.
A Widespread Campaign
As the timestamps below indicate, the majority of these compromises happened near the same day, Friday, May 10th.
Some of the targets in this campaign do not even process payments on their websites, showing that the attackers used a “shotgun” approach to great effect, compromising as many websites as they could knowing that at least some of them would be lucrative. RiskIQ found evidence of many other sites also being compromised, including:
May 02, 2019
With our internet-wide telemetry, RiskIQ has discovered some of the most significant Magecart attacks ever carried out. These involved a host of different tools and tactics including several different inject types, skimmers of varying sophistication, and countless intrusion methods. But for every Magecart attack that makes headlines, we detect thousands more that we don’t disclose. A considerable portion of these lesser-known breaches involves third-party payment platforms.
The most notorious of these payment platforms is Magento. RiskIQ’s first blog post on Magecart introduced it as a new breed of threat centered around attacks on Magento, and recent developments show that stores running Magento are still a prime target for skimming groups. Considering the frequency with which Magecart groups target Magento, many security professionals associate Magecart (and web skimming in general) with Magento.
However, web skimming goes well beyond Magento. Skimming groups target almost any web environment, including dozens of other online shopping platforms used by stores around the world.
In this post, we’ll explain how the rise of web-skimming coincides with the development and evolution of online shopping platforms that not only power large e-tailers but also thousands of smaller stores. While breaches of big brands like British Airways and Ticketmaster have become infamous, it’s smaller stores, more prone to security flaws, that help Magecart thrive.
We’ll also break down a large-scale Magecart Group 12 campaign uncovered by RiskIQ researchers abusing the OpenCart platform, which is run by thousands of e-commerce sites.
March 20, 2019
We've seen Magecart conduct numerous high-profile digital credit card-skimming attacks against major international companies like British Airways, Ticketmaster, and Newegg. These Magecart groups have won unprecedented attention for themselves.
Security professionals have Magecart firmly on their radar, but they must remember that Magecart is a continuously evolving cybersecurity threat and there are new victims all the time. At RiskIQ, we detect hundreds of Magecart incidents every day but don't publicly document the vast majority of what we find. We only document significant events or changes in a group's mode of operation or capabilities.
In this blog, we'll document two Magecart-related breaches against bedding retailers MyPillow and Amerisleep. One has been resolved but was never disclosed, and another is ongoing despite our numerous attempts to contact the affected retailer. In both cases, the potential victims of credit card fraud — the consumers — have not been informed.
Note: In both breaches, only online payments were affected, not physical transactions.