Blog

Magecart

External Threat Management Magecart

The Consumer Guide to Shopping Safely in the Age of Magecart

For the last ten years, the e-commerce industry has been battling a stealthy enemy in digital web skimming. Dubbed Magecart by RiskIQ when we first reported on the threat, these groups of cybercriminals have been intercepting credit card information from users making purchases online by breaching websites and injecting their Javascript web skimmers on checkout pages. Just like a physical web skimmer a real-world criminal might put on an ATM or gas pump, these digital skimmers intercept credit card numbers, expirations dates, and CVV numbers when a consumer purchases something online. It then exfiltrates that data to an attacker-owned server to be used by the hacker or sold on the dark web.

From small shops to giant household names like Newegg, Ticketmaster, and British Airways, these attacks have affected thousands of sites, and potentially millions of consumers, all without virtually anyone knowing. The most significant factor in Magecart's success is that most site owners lack visibility into the code running on their site. As a result, the average Magecart skimmer lasts over two weeks, with many lasting much longer than that. 

While the onus is very squarely on businesses to protect their customers by increasing their visibility into the code running on their websites, Magecart is only growing more prevalent. In the meantime, consumers can take precautions to avoid being victimized and having their credit card information feed this criminal enterprise. 

Yonathan Klijsnma, RiskIQ's Head Threat Researcher and the leading expert on Magecart, offers five tips you can take as an online shopper to stay safe.

Check the reputation

Continue Reading
Labs Magecart

Old Magecart Domains are Being Bought Up for Monetization

Old Magecart domains are finding new life in subsequent cyber threat campaigns, many of which are entirely unrelated to web skimming. 

Over the years, we’ve outed many Magecart web-skimming campaigns in reports that denoted IOCs, including malicious domains that cyber attackers used to inject web-skimming JavaScript into browsers or as a destination for the skimmed payment information. Large portions of these malicious domains have been taken up for sinkholing by various parties. However, some of them are kicked offline by the registrar, put on hold, and then eventually released back into the pool of available domains.

Here’s the catch: when these domains come back online, they retain their call-outs to malicious domains placed on breached websites by cyber attackers, which means they also retain their value to cyber threat actors. Bad guys are taking advantage of these domains coming back up for sale and purchasing them to be once again pressed into service for malicious purposes, whether that be more web skimming or for use in malvertising campaigns.

Hijacking JavaScript injections

Many website owners are never aware of an active skimmer threat on their site—RiskIQ found that the average Magecart skimmer stays on a site for over two months, and many stay there indefinitely. The entire lifecycle of these malicious domains—loading JavaScript to an infected website, going offline, and then coming back online again—can pass without the website owner having an inkling that something was wrong. 

Continue Reading
External Threat Management Magecart

RiskIQ Launches JavaScript Threats Solution Amidst Surge in Browser-based Cyber Attacks

Browser-based cyber attacks append malicious JavaScript to websites once every five minutes, according to RiskIQ detection data. These cyber attacks, such as web-skimming, cryptocurrency mining, fingerprinting, and waterholing encounters, are responsible for some of the most high-profile breaches in recent history. These digital security breaches include the hack of British Airways, which led to cyber threat actors intercepting credit card data for thousands of customers.

The BA breach, surfaced by RiskIQ last fall, was carried out by the crime syndicate Magecart. Most recently, a sophisticated Magecart group compromised thousands of sites with a supply chain cyber attack targeting misconfigured Amazon S3 buckets.

In the months and years to come, new breeds of these web skimming cyber attacks will likely emerge, whether by new or existing Magecart groups. Payment data is currently the focus, but they will pivot to skim other information such as login credentials. These cyber attacks can take the form of direct compromises to digital security or supply chain compromises in which third-party JavaScript, such as analytics code, is compromised. Supply chain cyber attacks give perpetrators massive reach by granting them access to potentially thousands of sites at once.

Lucrative for perpetrators, cybercrime syndicates have created entire economies around JavaScript attacks with vibrant markets emerging for stolen data, web skimmers, and compromised websites. Meanwhile, businesses are left to weather the reputational and financial damage with loss of market share, lawsuits, and punitive regulatory fines.

The material damages to businesses from JavaScript attacks took sharp focus earlier this month when the first post-GDPR fine was imposed against British Airways for the breach of its digital security. The proposed amount of £183m represents 1.5% of BA's 2017 revenues and dwarfs the largest pre-GDPR fine levied by the UK's Information Commissioner's Office (ICO) of £500,000.

Continue Reading
Labs Magecart

Spray and Pray: Magecart Campaign Breaches Websites En Masse Via Misconfigured Amazon S3 Buckets

On May 14th, RiskIQ covered the latest mass compromise of third-party web suppliers by a Magecart group. This initial report focused on seven of these suppliers, the scripts of which were injected with skimmer code, which possibly affected several thousand websites using their services. 

However, the actual scale of this campaign and the number of sites affected is much larger than previously reported. The actors behind these compromises have automated the process of compromising websites with skimmers by actively scanning for misconfigured Amazon S3 buckets. These buckets are un-secure because they are misconfigured, which allows anyone with an Amazon Web Services account to read or write content to them.

RiskIQ has been monitoring the compromise of S3 buckets since the beginning of the campaign, which started in early April 2019. We’ve been working with Amazon and affected parties to address Magecart injections and misconfigured S3 buckets as we observe them.

We wrote the following article to raise awareness around the security policies for Amazon S3 as well as web-skimming attacks in general.

Discovery of Misconfigured Bucket

Continue Reading
Labs Magecart

Magecart Supply-chain Frenzy Continues With AppLixir, RYVIU, OmniKick, eGain, AdMaxim, CloudCMS & Picreel

Last weekend, security researchers surfaced new supply-chain attacks involving Magecart web-skimmers placed on several web-based suppliers, including AdMaxim, CloudCMS, and Picreel. The breaches were part of a large-scale attack that hit a breadth of providers simultaneously intending to access as many websites as possible.

Web-based supply-chain attacks, which compromise vendors that supply code that adds or improves website functionality, gives attackers access to a wide range of victims at once because the compromised code often integrates with thousands of sites. In this blog, we'll break down the Magecart skimming activity on these seven providers and detail when and how the compromises occurred, including how some of them could have been far worse.

A Widespread Campaign

As the timestamps below indicate, the majority of these compromises happened near the same day, Friday, May 10th.

Some of the targets in this campaign do not even process payments on their websites, showing that the attackers used a “shotgun” approach to great effect, compromising as many websites as they could knowing that at least some of them would be lucrative. RiskIQ found evidence of many other sites also being compromised, including:

Continue Reading
Labs Magecart

Magento Attack: All Payment Platforms are Targets for Magecart Attacks

With our internet-wide telemetry, RiskIQ has discovered some of the most significant Magecart attacks ever carried out. These involved a host of different tools and tactics including several different inject types, skimmers of varying sophistication, and countless intrusion methods. But for every Magecart attack that makes headlines, we detect thousands more that we don’t disclose. A considerable portion of these lesser-known breaches involves third-party payment platforms.

The most notorious of these payment platforms is Magento. RiskIQ’s first blog post on Magecart introduced it as a new breed of threat centered around attacks on Magento, and recent developments show that stores running Magento are still a prime target for skimming groups. Considering the frequency with which Magecart groups target Magento, many security professionals associate Magecart (and web skimming in general) with Magento.

However, web skimming goes well beyond Magento. Skimming groups target almost any web environment, including dozens of other online shopping platforms used by stores around the world.

In this post, we’ll explain how the rise of web-skimming coincides with the development and evolution of online shopping platforms that not only power large e-tailers but also thousands of smaller stores. While breaches of big brands like British Airways and Ticketmaster have become infamous, it’s smaller stores, more prone to security flaws, that help Magecart thrive.

We’ll also break down a large-scale Magecart Group 12 campaign uncovered by RiskIQ researchers abusing the OpenCart platform, which is run by thousands of e-commerce sites.

Continue Reading
Labs Magecart

Consumers May Lose Sleep Over These Two New Magecart Breaches

We've seen Magecart conduct numerous high-profile digital credit card-skimming attacks against major international companies like British Airways, Ticketmaster, and Newegg. These Magecart groups have won unprecedented attention for themselves.

Security professionals have Magecart firmly on their radar, but they must remember that Magecart is a continuously evolving cybersecurity threat and there are new victims all the time. At RiskIQ, we detect hundreds of Magecart incidents every day but don't publicly document the vast majority of what we find. We only document significant events or changes in a group's mode of operation or capabilities.

In this blog, we'll document two Magecart-related breaches against bedding retailers MyPillow and Amerisleep. One has been resolved but was never disclosed, and another is ongoing despite our numerous attempts to contact the affected retailer. In both cases, the potential victims of credit card fraud — the consumers — have not been informed.

Note: In both breaches, only online payments were affected, not physical transactions.

MyPillow

Continue Reading
External Threat Management Magecart

Magecart Isn’t Just a Security Problem; It’s Also a Business Problem

Magecart is more than just a security problem—it's also a business problem.

When threat actors breached British Airways in September resulting in the compromise of thousands of customers' credit cards, the world got a look at what the fallout of a modern security breach looks like. Immediately afterward, a law firm launched a £500 million class action suit. On top of that, under GDPR, firms found liable for a breach can be fined up to 4% of turnover, or £500 million in British Airways' case.

Magecart, the digital credit card skimming groups behind some of the most impactful hacks of 2018, was the culprit. As the world saw, Magecart is more than just the flavor of the week hacking group—it's a digital threat that will haunt businesses long into the future. That's why it's foolish to view Magecart as anything but a new threat category all its own. Like malware, phishing, domain infringement, etc., organizations now need a long-term solution to address it.

Magecart is here to stay

2018 saw numerous high-profile digital credit card-skimming attacks against major international companies conducted by Magecart. Alongside British Airways, these included the likes of Ticketmaster and Newegg. These infamous breaches led to the group garnering unprecedented attention with WIRED naming it as one of the eight “most dangerous people on the internet in 2018”.

Continue Reading
Labs Magecart

Magecart Group 4: Never Gone, Always Advancing – Professionals In Cybercrime

In November of 2018, we published the cornerstone report  "Inside Magecart," in which we disclosed the existence of seven distinct Magecart groups and described in detail their operations and the different ways they skim payment information. Since then, we’ve detailed even more groups, such as Group 11 and Group 12.

After our researchers surface more Magecart instances in RiskIQ’s automated detection, attribution is usually the final step in our analysis. However, we also spend a lot of time keeping up with each group and how it evolves. In this article, we’ll get back to a group we covered in the “Inside Magecart” report: Magecart Group 4.

Forcing their hand

We shed a big, bright light on Magecart Group 4’s operation and in the process described how their skimming attacks worked. However, more importantly, we took down crucial parts of their infrastructure. By taking down this infrastructure, we forced them to change their tactics and rebuild everything. Fortunately, this did not affect our ability to track them.

Magecart Group 4 has registered close to a hundred new domains and set up a large pool of servers with which to route these domains and supply victimized websites with skimmers. When we described Magecart Group 4 in the Inside Magecart report, we noted them as one of the most advanced groups we’ve encountered given their rich history in the e-crime ecosystem. This has proven to be even more true with their actions since:

Continue Reading