September 22, 2021
RiskIQ has tracked Magecart since skimmers first surfaced in 2016 and burst into the headlines in the landmark attack against British Airways. In the time since, our researchers have cataloged hundreds of iterations of Magecart skimmers as different threat groups build, appropriate, tweak, and develop them to suit their unique purposes.
Despite their ongoing changes, these skimmers often maintain enough of the same characteristics and infrastructure for keen eyes to link them to past attacks and the responsible groups. In the case of the newly identified "bom" skimmer, which has been deployed on dozens of counterfeit online stores, distinct features and TTPs linked us directly to its predecessor skimmers, including the widespread MakeFrame version. It also pointed us to its operators, Magecart Group 7.
August 11, 2021
Magecart Group 8 has been targeting online retailers since 2016. This distinct skimming group first came to light when RiskIQ, led by researcher Yonathan Klijnsma, analyzed its skimmer in 2017 and exposed attacks on Nutribullet in February 2020 and MyPillow and Amerisleep in 2019.
The group hasn't fixed what isn't broken and today still uses the same skimmer and many of the same tactics and techniques to steal payment data. When selecting its targets, the group seems to continue to favor the home improvement industry, specifically hardware, real estate services, and interior design and decor.
Supported by our Internet Intelligence Graph, our researchers identify patterns to uncover new threat infrastructure and attacks across the global threat landscape. For Magecart Group 8, its choice of hosting providers shined new light on its skimming activities. RiskIQ researchers identified a pattern in the group's use of hosting providers Flowspec, JSC TheFirst, and OVH and its propensity to transition potentially inactive infrastructure from Bulletproof hosting providers to legitimate ones such as Velia.net.
June 16, 2021
In much of our recent analysis of threat infrastructure, we've seen the digital credit card skimming ecosystem grow as we uncover more actors, tooling, services, and economies that comprise it. We also see distinct patterns emerge in the infrastructure used and shared by these entities.
Over the last few years, Alibaba IP space has hosted many domains used for digital skimming and other malicious behavior. As bulletproof hosting providers host a considerable portion of skimming campaigns, the popularity of Alibaba IP space may result from one of these bulletproof services abusing Alibaba hosting services. Recently, some of these domains have also abused Google user content hosting.
While investigating infrastructure related to the MobileInter skimmer, our researchers found that a Google IP address briefly played host to one of its skimmer domains. This IP then hosted a domain offering a helpful service for card skimmers, allowing them to authenticate stolen payment data for a fee. From this data point, RiskIQ's Internet Intelligence Graph helped our researchers identify several related websites, services, and social media accounts connected to this authentication activity known as bit2check. Some bit2check domains share the same hosting pattern as Magecart domains observed abusing Alibaba and Google hosting services.
May 27, 2021
To truly understand the Magecart skimming groups that have become a mainstay of the e-commerce threat landscape, you have to understand the tools of the trade. The Inter Skimmer kit is one of today's most common digital skimming solutions globally. However, a hallmark of widely used skimmers is their propensity to evolve as more actors use and tweak them to suit their unique needs and purposes.
Several different actors have used the Inter kit to steal payment data since late 2018. It affects thousands of sites and likely thousands of consumers, and RiskIQ continues to see new iterations of Inter in our Internet Intelligence Graph. One of these that should be firmly on the radar of security teams monitoring their organization's web assets is MobileInter, a modified and expanded take on Inter skimmer code that focuses exclusively on mobile users.
With nearly three out of every four dollars spent online done via a mobile device, it's no wonder Magecart operators are looking to target this lucrative landscape. RiskIQ researchers have analyzed this newer model to determine its functionality, prevalence, and links to other skimmer activity.
January 14, 2021
RiskIQ's recent analysis of Magecart infrastructure has shown its massive scale and put its interconnectivity into focus. Our most recent research takes two email addresses evoking the name of one of the most prominent bulletproof hosting providers on earth and ties them to newly discovered batches of Magecart infrastructure. From there, we show how this infrastructure overlaps with previously reported Magecart activity and highlight some common Magecart operator practices that can help researchers identify skimming infrastructure.
April 02, 2020
At RiskIQ, we track many different Magecart groups. We continually observe evolutions in the techniques they employ to skim card data and obfuscate the code that they use for that purpose. These skimmers are becoming increasingly capable, fulfilling a variety of functions to optimize the work of the operators that deploy them.
On January 24th, we first became aware of a new Magecart skimmer, which we dubbed MakeFrame after its ability to make iframes for skimming payment data. We initially flagged it with our machine learning model for detecting obfuscated code.
Since then, we have captured several different versions of the skimmer, each sporting various levels of obfuscation, from dev versions in clear code to finalized versions using encrypted obfuscation. So far, RiskIQ has observed MakeFrame on 19 different victim sites.
In some cases, we've seen MakeFrame using compromised sites for all three of its functions—hosting the skimming code itself, loading the skimmer on other compromised websites, and exfiltrating the stolen data. There are several elements of the MakeFrame skimmer that are familiar to us, but it's this technique in particular that reminds us of Magecart Group 7.
The following is our analysis of this unique skimmer and the process we followed to attribute this skimmer to Magecart Group 7.
March 18, 2020
After multiple attempts to contact NutriBullet and receiving no response*, RiskIQ decided to initiate the takedown of the attacker exfiltration domain with the help of AbuseCH and ShadowServer. Group 8 operators were using this domain to receive stolen credit card information, and its takedown prevented there being new victims.
On March 1st, we observed the skimmer had been removed, but on March 5th, around 7 pm GMT, the cyber attackers placed a new skimmer on the NutriBullet website. We again scrambled to get the infrastructure neutralized. Unfortunately, the criminals still have access to NutriBullet's infrastructure and can continue to replace the skimmer domain in the code to make it work again. Again on March 10th, the cyber attackers were back with another skimmer in yet another script on the NutriBullet website. Until NutriBullet acknowledges our outreach and performs a cleanup, we highly advise against making any purchases on the site as customer data is endangered.
As with all breaches, RiskIQ’s technology and researchers will continue to keep a close eye on the breach and work to take down any additional domains stood up by the criminals.
The First Skimmer
Magecart Group 12’s Latest: Actors Behind Cyberattacks on Olympics Ticket Re-sellers Deftly Swapped Domains to Continue Campaign
February 07, 2020
A recent blog post by Jacob Pimental and Max Kersten highlighted Magecart activity targeting ticket re-selling websites for the 2020 Olympics and EUFA Euro 2020, olympictickets2020.com and eurotickets2020.com respectively. These sites were compromised by a skimmer using the domain opendoorcdn.com for data exfiltration. With RiskIQ data, our researchers built on the previous reporting to identify more skimming domains used by the attackers, as well as additional compromised sites. RiskIQ can also now attribute all these cyberattacks to Magecart Group 12.
The obfuscation and skimming code we observed on opendoorcdn.com matches that used by Magecart Group 12, whose skimmer and obfuscation techniques we analyzed in our blog posts, "New Year, Same Magecart: The Continuation of Web-based Supply Chain Attacks" and "Magento Attack: All Payment Platforms are Targets for Magecart Attacks." However, there are differences in the techniques employed by Group 12 in these more recent compromises, which we'll break down here.
In those blog posts, we noted that Group 12 employed base64 encoded checks against the URL looking for the word "checkout" to identify the proper page on which to load their skimmer code. This encoding masked both the check itself and the skimmer URL. Quoting from our May 1st, 2019 report:
October 04, 2019
Magecart is a rapidly growing cybercrime syndicate comprised of dozens of subgroups that specialize in cyberattacks involving digital credit card theft by skimming online payment forms. It's also fundamentally changing the way we view browser security.
A global phenomenon, Magecart is threatening the ability of consumers worldwide to shop online safely by stealthily intercepting their credit card data via their browser without the consumer or website owner's knowledge. Although it's just now getting global attention, Magecart has been active for nearly ten years—RiskIQ's earliest Magecart observation occurred on August 8th, 2010.
RiskIQ's global discovery platform gathers internet-wide telemetry that enables us to view websites as Magecart actors do; a unique perspective that provides unmatched visibility into this surging threat. In our latest report, we share the valuable insights gleaned from this telemetry data, which yields critical insight into the state of Magecart, whose skimmers have appeared over two million times, and directly breached over 18,000 hosts.