Magecart Supply-chain Frenzy Continues With AppLixir, RYVIU, OmniKick, eGain, AdMaxim, CloudCMS & Picreel
May 15, 2019
Last weekend, security researchers surfaced new supply-chain attacks involving Magecart web-skimmers placed on several web-based suppliers, including AdMaxim, CloudCMS, and Picreel. The breaches were part of a large-scale attack that hit a breadth of providers simultaneously intending to access as many websites as possible.
Web-based supply-chain attacks, which compromise vendors that supply code that adds or improves website functionality, gives attackers access to a wide range of victims at once because the compromised code often integrates with thousands of sites. In this blog, we'll break down the Magecart skimming activity on these seven providers and detail when and how the compromises occurred, including how some of them could have been far worse.
A Widespread Campaign
As the timestamps below indicate, the majority of these compromises happened near the same day, Friday, May 10th.
Some of the targets in this campaign do not even process payments on their websites, showing that the attackers used a “shotgun” approach to great effect, compromising as many websites as they could knowing that at least some of them would be lucrative. RiskIQ found evidence of many other sites also being compromised, including:
May 02, 2019
With our internet-wide telemetry, RiskIQ has discovered some of the most significant Magecart attacks ever carried out. These involved a host of different tools and tactics including several different inject types, skimmers of varying sophistication, and countless intrusion methods. But for every Magecart attack that makes headlines, we detect thousands more that we don’t disclose. A considerable portion of these lesser-known breaches involves third-party payment platforms.
The most notorious of these payment platforms is Magento. RiskIQ’s first blog post on Magecart introduced it as a new breed of threat centered around attacks on Magento, and recent developments show that stores running Magento are still a prime target for skimming groups. Considering the frequency with which Magecart groups target Magento, many security professionals associate Magecart (and web skimming in general) with Magento.
However, web skimming goes well beyond Magento. Skimming groups target almost any web environment, including dozens of other online shopping platforms used by stores around the world.
In this post, we’ll explain how the rise of web-skimming coincides with the development and evolution of online shopping platforms that not only power large e-tailers but also thousands of smaller stores. While breaches of big brands like British Airways and Ticketmaster have become infamous, it’s smaller stores, more prone to security flaws, that help Magecart thrive.
We’ll also break down a large-scale Magecart Group 12 campaign uncovered by RiskIQ researchers abusing the OpenCart platform, which is run by thousands of e-commerce sites.
March 20, 2019
We've seen Magecart conduct numerous high-profile digital credit card-skimming attacks against major international companies like British Airways, Ticketmaster, and Newegg. These Magecart groups have won unprecedented attention for themselves.
Security professionals have Magecart firmly on their radar, but they must remember that Magecart is a continuously evolving cybersecurity threat and there are new victims all the time. At RiskIQ, we detect hundreds of Magecart incidents every day but don't publicly document the vast majority of what we find. We only document significant events or changes in a group's mode of operation or capabilities.
In this blog, we'll document two Magecart-related breaches against bedding retailers MyPillow and Amerisleep. One has been resolved but was never disclosed, and another is ongoing despite our numerous attempts to contact the affected retailer. In both cases, the potential victims of credit card fraud — the consumers — have not been informed.
Note: In both breaches, only online payments were affected, not physical transactions.
March 12, 2019
Magecart is more than just a security problem—it's also a business problem.
When threat actors breached British Airways in September resulting in the compromise of thousands of customers' credit cards, the world got a look at what the fallout of a modern security breach looks like. Immediately afterward, a law firm launched a £500 million class action suit. On top of that, under GDPR, firms found liable for a breach can be fined up to 4% of turnover, or £500 million in British Airways' case.
Magecart, the digital credit card skimming groups behind some of the most impactful hacks of 2018, was the culprit. As the world saw, Magecart is more than just the flavor of the week hacking group—it's a digital threat that will haunt businesses long into the future. That's why it's foolish to view Magecart as anything but a new threat category all its own. Like malware, phishing, domain infringement, etc., organizations now need a long-term solution to address it.
Magecart is here to stay
2018 saw numerous high-profile digital credit card-skimming attacks against major international companies conducted by Magecart. Alongside British Airways, these included the likes of Ticketmaster and Newegg. These infamous breaches led to the group garnering unprecedented attention with WIRED naming it as one of the eight “most dangerous people on the internet in 2018”.
February 28, 2019
In November of 2018, we published the cornerstone report "Inside Magecart," in which we disclosed the existence of seven distinct Magecart groups and described in detail their operations and the different ways they skim payment information. Since then, we’ve detailed even more groups, such as Group 11 and Group 12.
After our researchers surface more Magecart instances in RiskIQ’s automated detection, attribution is usually the final step in our analysis. However, we also spend a lot of time keeping up with each group and how it evolves. In this article, we’ll get back to a group we covered in the “Inside Magecart” report: Magecart Group 4.
Forcing their hand
We shed a big, bright light on Magecart Group 4’s operation and in the process described how their skimming attacks worked. However, more importantly, we took down crucial parts of their infrastructure. By taking down this infrastructure, we forced them to change their tactics and rebuild everything. Fortunately, this did not affect our ability to track them.
Magecart Group 4 has registered close to a hundred new domains and set up a large pool of servers with which to route these domains and supply victimized websites with skimmers. When we described Magecart Group 4 in the Inside Magecart report, we noted them as one of the most advanced groups we’ve encountered given their rich history in the e-crime ecosystem. This has proven to be even more true with their actions since:
January 16, 2019
RiskIQ has tracked Magecart and exposed their attacks for years. Now, the term is top-of-mind in the security community and beyond, with a Google search of ‘Magecart’ returning over 170,000 results. In fact, the cybercriminal group of digital credit card-skimming gangs gained such notoriety throughout last year that WIRED named Magecart in its list of “Most Dangerous People On The Internet In 2018.”
With the threat of Magecart looming large, RiskIQ receives a continuous flow of questions from businesses looking to protect their attack surface; law enforcement tracking each Magecart group, reporters covering Magecart activity, and other vendors looking to leverage RiskIQ’s unique web forensics data which enabled us to disclose Magecart attacks against Ticketmaster, British Airways, Newegg, and more.
Unfortunately, Magecart is only becoming a more significant threat as it scales and evolves faster than ever, but we will continue to track Magecart activities and new groups as they emerge. This report details another attack campaign occurring over the past months that used a third-party supply chain attack, a tried and true Magecart tactic used in Group 5’s breach of Ticketmaster.
Web-based supply chain attacks compromise vendors that supply code often used to add or improve site functionality. This code integrates with thousands of websites, so when it’s compromised, the sites of all of the customers that use it are compromised. This gives Magecart access to a wide range of victims at once.
December 04, 2018
Since we began reporting on online card skimming, we have noted consistent evolutions in modus operandi of the various Magecart groups, and even the Magecart phenomenon itself. The web-skimming ecosystem has exploded, spawning multiple groups that want a piece of the action, many of which we reported on in our recent report “Inside Magecart.”
Changes in the manifestations of the Magecart skimmers and the technical expertise of the actors behind them precipitate advances in tracking and detection of these groups and their activities by RiskIQ. This article dives into another example of how the ecosystem is maturing.
A recent cyber attack by a group known as Magecart Group 11, which we did not cover in the Inside Magecart report, compromised several websites, and breaking from traditional Magecart MO, stole more than just payment data. This group was first observed in early 2016 and, despite a relatively small infrastructure compared to their colleagues, they have been able to compromise a large portion of websites.
Inside Magecart: RiskIQ and Flashpoint Release Comprehensive Report on Cybercrime and the Assault on E-Commerce
November 13, 2018
The name Magecart has become ubiquitous as recent high-profile compromises have brought the threat of online card skimming to the forefront of security conversations and news publications.
Magecart, an umbrella term given to at least seven cybercrime groups, are placing digital credit card skimmers on compromised e-commerce sites at an unprecedented rate and with frightening success. Responsible for victimizing scores of e-commerce sites including global brands Ticketmaster, British Airways, and Newegg, Magecart and its operatives intercepted thousands of consumer credit card records and are claiming more victims every day.
However, although Magecart is only now becoming a household name, its activity isn't new and points to a complex and thriving criminal underworld that has operated in the shadows for years.
In a brand new RiskIQ and Flashpoint joint report, 'Inside Magecart,' we build a timeline of the Magecart phenomenon from the inception of digital credit-card skimming—its evolution from a Cart32 shopping cart software backdoor to Magecart's current all-out assault on e-commerce that compromises thousands of sites directly and via breaches of third-party suppliers.
We'll also profile the six leading Magecart groups along with notable related unclassified threat groups, highlighting their skimmers, tactics, targets, and what makes them unique:
September 19, 2018
RiskIQ conducted the research for this report in collaboration with Volexity, which will release a separate report of its own. From different perspectives, we will discuss the same incident, showing how we found and analyzed the latest instance of Magecart using our unique capabilities and datasets.
While the dust is settling on the British Airways compromise, the Magecart actor behind it has not stopped their work, hitting yet another large merchant: Newegg.
Last week we published details on the British Airways compromise immediately after the company made its first advisory public linking the breach of customer credit card information to Magecart. We were able to disclose these details based on our years of tracking the activities and infrastructure of the umbrella of Magecart groups performing digital credit card skimming campaigns. The British Airways cyber attack was highly targeted and done via a tactic we’d seen evolving through the years.
The report on the British Airways cyber attack came shortly after our discovery that Magecart was also behind the breach of Ticketmaster. As we built the narrative, it’s becoming clear to the industry that these simple yet clever cyber attacks are not only devastating, they’re becoming more and more prevalent. Newegg is just the latest victim.
The breach of Newegg shows the true extent of Magecart operators’ reach. These cyber attacks are not confined to certain geolocations or specific industries—any organization that processes payments online is a target. The elements of the British Airways cyber attacks were all present in the cyber attack on Newegg: they integrated with the victim’s payment system and blended with the infrastructure, staying there as long as possible.