Blog

RiskIQ has tracked Magecart and exposed their attacks for years. Now, the term is top-of-mind in the security community and beyond, with a Google search of ‘Magecart’ returning over 170,000 results. In fact, the cybercriminal group of digital credit card-skimming gangs gained such notoriety throughout last year that WIRED named Magecart in its list of “Most Dangerous People On The Internet In 2018.”

With the threat of Magecart looming large, RiskIQ receives a continuous flow of questions from businesses looking to protect their attack surface; law enforcement tracking each Magecart group, reporters covering Magecart activity, and other vendors looking to leverage RiskIQ’s unique web forensics data which enabled us to disclose Magecart attacks against Ticketmaster, British Airways, Newegg, and more.

Unfortunately, Magecart is only becoming a more significant threat as it scales and evolves faster than ever, but we will continue to track Magecart activities and new groups as they emerge. This report details another attack campaign occurring over the past months that used a third-party supply chain attack, a tried and true Magecart tactic used in Group 5’s breach of Ticketmaster.

Web-based supply chain attacks compromise vendors that supply code often used to add or improve site functionality. This code integrates with thousands of websites, so when it’s compromised, the sites of all of the customers that use it are compromised. This gives Magecart access to a wide range of victims at once.

Introduction

Since we began reporting on online card skimming, we have noted consistent evolutions in modus operandi of the various Magecart groups, and even the Magecart phenomenon itself. The web-skimming ecosystem has exploded, spawning multiple groups that want a piece of the action, many of which we reported on in our recent report “Inside Magecart.”  

Changes in the manifestations of the Magecart skimmers and the technical expertise of the actors behind them precipitate advances in tracking and detection of these groups and their activities by RiskIQ. This article dives into another example of how the ecosystem is maturing.

A recent cyber attack by a group known as Magecart Group 11, which we did not cover in the Inside Magecart report, compromised several websites, and breaking from traditional Magecart MO, stole more than just payment data. This group was first observed in early 2016 and, despite a relatively small infrastructure compared to their colleagues, they have been able to compromise a large portion of websites.

Vision Direct

The name Magecart has become ubiquitous as recent high-profile compromises have brought the threat of online card skimming to the forefront of security conversations and news publications.

Magecart, an umbrella term given to at least seven cybercrime groups, are placing digital credit card skimmers on compromised e-commerce sites at an unprecedented rate and with frightening success. Responsible for victimizing scores of e-commerce sites including global brands Ticketmaster, British Airways, and Newegg, Magecart and its operatives intercepted thousands of consumer credit card records and are claiming more victims every day.

However, although Magecart is only now becoming a household name, its activity isn't new and points to a complex and thriving criminal underworld that has operated in the shadows for years.

In a brand new RiskIQ and Flashpoint joint report, 'Inside Magecart,' we build a timeline of the Magecart phenomenon from the inception of digital credit-card skimming—its evolution from a Cart32 shopping cart software backdoor to Magecart's current all-out assault on e-commerce that compromises thousands of sites directly and via breaches of third-party suppliers.

We'll also profile the six leading Magecart groups along with notable related unclassified threat groups, highlighting their skimmers, tactics, targets, and what makes them unique:

RiskIQ conducted the research for this report in collaboration with Volexity, which will release a separate report of its own. From different perspectives, we will discuss the same incident, showing how we found and analyzed the latest instance of Magecart using our unique capabilities and datasets.

While the dust is settling on the British Airways compromise, the Magecart actor behind it has not stopped their work, hitting yet another large merchant: Newegg.

Last week we published details on the British Airways compromise immediately after the company made its first advisory public linking the breach of customer credit card information to Magecart. We were able to disclose these details based on our years of tracking the activities and infrastructure of the umbrella of Magecart groups performing digital credit card skimming campaigns. The British Airways cyber attack was highly targeted and done via a tactic we’d seen evolving through the years.

The report on the British Airways cyber attack came shortly after our discovery that Magecart was also behind the breach of Ticketmaster. As we built the narrative, it’s becoming clear to the industry that these simple yet clever cyber attacks are not only devastating, they’re becoming more and more prevalent. Newegg is just the latest victim.

The breach of Newegg shows the true extent of Magecart operators’ reach. These cyber attacks are not confined to certain geolocations or specific industries—any organization that processes payments online is a target. The elements of the British Airways cyber attacks were all present in the cyber attack on Newegg: they integrated with the victim’s payment system and blended with the infrastructure, staying there as long as possible.

On September 6th, British Airways announced it had suffered a breach resulting in the theft of customer data. In interviews with the BBC, the company noted that around 380,000 customers could have been affected and that the stolen information included personal and payment information but not passport information.

On its website, British Airways placed an article explaining details of the incident that answered as many questions as possible for customers. The technical details were sparse but included the following pieces of information:

• Payments through its main website were affected

The Magecart project is the biggest thing I’ve worked on in my career in both the scope of the cyber threat, the effects of the breaches, and, as a result, the media attention our work garnered. It wasn’t possible without RiskIQ data.

Seeing words I wrote quoted on national news is a new experience for me personally, but the work we put into the project was not—far from it. The data we used, as well as the techniques we employed to work with and surface it, were typical of the analytics and cyber threat detection we carry out at RiskIQ every day. In the case of Magecart, our data sets allowed us to discover the breadth and scope of a massive compromise across the internet that few else could.

We first learned of the Inbenta breach through the disclosures Ticketmaster, Monzo Bank, and Inbenta released in late June and decided to dig into our data to see what we could find about it. We quickly identified several crawls of Inbenta scripts we had stored in RiskIQ's database. Finding them was relatively easy because Inbenta used subdomains with the name of the website using the script along with the geographic region in the hostname, i.e., ticketmasteruk.inbenta[.]com. Ticketmaster websites were utilizing these scripts for the geographic areas described in the disclosure of the breach

A key feature of RiskIQ’s integrated digital threat platform is our worldwide network of web crawlers. We continuously crawl the internet, collecting not just rendered pages but also the entire sequence of requests and responses that make up a web page—headers, dependent requests, certificates, and more. These crawls give us great insight into what is happening on a web server at any given point in time, and how that server would interact with a real user. We also incorporate the wealth of data we obtain from crawls into our aggregated datasets and our host pairs dataset, which proved especially useful for the analysis of Magecart. (A full description of host pairs is below.)

Our first example of an interesting Inbenta script had a hex-encoded and obfuscated javascript code block at the top of the script, above un-obfuscated javascript. Although hex encoding and obfuscation are not suspicious—as developers use this process legitimately to minify javascript—it is strange to find obfuscated and unobfuscated javascript together. Upon deobfuscating the code, we recognized what we saw right away: our old friend Magecart.

On June 27th, Ticketmaster, a ticket sales and distribution company, made public they had been compromised and that hackers stole customer information. However, we discovered that this was not a one-off event as initially reported, but part of a massive digital credit card-skimming campaign by the threat group Magecart affecting over 800 e-commerce sites around the world.

The target for Magecart actors was the payment information entered into forms on Ticketmaster’s various websites. The method was hacking third-party components shared by many of the most frequented e-commerce sites in the world.

Introduction

Card skimmers are devices criminals hide within credit card readers on ATMs, fuel pumps, and other machines people pay for with credit cards every day. These devices steal credit card data for the criminal to later collect and either use themselves or sell to other parties. Since 2016, RiskIQ has reported on the rise of card skimmers of the digital variety operated by the threat group Magecart that use scripts injected into websites to steal data that’s entered into online payment forms on e-commerce sites. Hackers placed one of these digital skimmers on Ticketmaster websites through the compromise of a third-party functionality supplier known as Inbenta.

In this article, we’ll give our comprehensive insights into the events around the Ticketmaster breach. Magecart, the criminal group that performed this cyber attack, are well known to us. We have had an eye on them since 2015, and their cyber attacks have been ramping up in frequency and impact over the years. Our investigation following the Inbenta breach uncovered evidence that the Inbenta cyber attack was not a one-off, but instead indicative of a change in strategy by Magecart from focusing on piecemeal compromises to targeting third-party providers like Inbenta to perform more widespread compromises of card data.

Magecart is back, and the operation is more elaborate than we thought, involving physical shipping companies with mules operating in the United States.

Credit card data is a hot commodity in the criminal underworld of the internet—stolen card data is readily available, and used to fund criminal enterprises of all kinds. But scammers, rippers, and carders aren't the only ones in on the action—the data has to be stolen in the first place.

Typically, when people think of credit card theft, they think of skimming, point-of-sale devices infected with malware, and large-scale data breaches. But actors are utilizing much sneakier and more sophisticated means of collecting credit card data, such as those behind Magecart, a threat we profiled last October, which injects JavaScript code into e-commerce sites running outdated and unpatched versions of shopping cart software from Magento, Powerfront, and OpenCart. By logging consumer keystrokes, Magecart captures large quantities of payment card information from unsuspecting shoppers.

This stolen data can be packaged and sold as CVV dumps, on websites where transactions involving stolen credit card data take place. In a recent Krebs on Security blog post, which ties Magecart infrastructure listed in our original report to a credit card dump website known as “Trump’s Dumps,” we caught a glimpse of how those behind Magecart are monetizing their operations.

But RiskIQ’s follow-on report, Magecart Part II: From Javascript Injects to Reshipping for Financial Gain, shows that these actors actually have a well-diversified portfolio of rackets for making money from their plunder. Continued tracking of Magecart activity over the last few months gave us a rare look into the physical world operations of actors tied to digital threats: cashing-in by reshipping items purchased with stolen cards via a physical reshipping company operating with mules in the U.S.

Most methods used by attackers to target consumers are commonplace, such as phishing and the use of malware to target payment cards. Others, such as POS (point of sale) malware, tend to be rarer and isolated to certain industries. However, some methods are downright obscure—Magecart, a recently observed instance of threat actors injecting a keylogger directly into a website, is one of these.

Targeting Consumers Via Retailer Payment Platforms

Since the widely publicized breach of Target Corporation, there has been a significant increase in awareness of activity surrounding POS (point of sale) system breaches. But web-based keylogger injection incidents continue to be little-known, even though they've been occurring for even longer than threats related to many high-profile breaches.

In 2000, the discovery of a vulnerability in versions of the widely-deployed Cart32 software, which enables consumers to shop online, gave threat actors access to the application as the administrator so they could dump credit card data and run commands on the hosting server. In 2007, discussions like this in the OSCommerce community illustrated more instances. Later in 2011, analysis showed additional mass compromise activity in OSCommerce pushing online store visitors to information-stealing malware.

Since then, this kind of activity increased, affecting other popular shopping cart software implementations.