External Threat Management Magecart

Magecart: New Research Shows the State of a Growing Threat

Magecart is a rapidly growing cybercrime syndicate comprised of dozens of subgroups that specialize in cyberattacks involving digital credit card theft by skimming online payment forms. It's also fundamentally changing the way we view browser security. 

A global phenomenon, Magecart is threatening the ability of consumers worldwide to shop online safely by stealthily intercepting their credit card data via their browser without the consumer or website owner's knowledge. Although it's just now getting global attention, Magecart has been active for nearly ten years—RiskIQ's earliest Magecart observation occurred on August 8th, 2010. 

Magecart works by operatives gaining access to websites either directly or via third-party services in supply-chain attacks and injecting malicious JavaScript that steals the data shoppers enter into online payment forms, typically on checkout pages. Quietly, it's eating away at the e-commerce industry because website owners lack visibility into the code that's running on their site, which is a bigger problem than most people realize. Skimming code can exist on a breached website for weeks, months, or even indefinitely, victimizing any visitor that makes purchases on that site.

RiskIQ's global discovery platform gathers internet-wide telemetry that enables us to view websites as Magecart actors do; a unique perspective that provides unmatched visibility into this surging threat. In our latest report, we share the valuable insights gleaned from this telemetry data, which yields critical insight into the state of Magecart, whose skimmers have appeared over two million times, and directly breached over 18,000 hosts. 

Continue Reading
External Threat Management

RiskIQ Named CIO Favorite at Innovation CONNECT CIO Technology Day

For as rapidly as business changes, the threat landscape changes even faster. CIOs and other business leaders are realizing that they must rethink cybersecurity to catch up.

With cyber security risk outside the firewall now a top-of-mind priority for CIOs, RiskIQ's ability to bring the massive scope of an organization's attack surface into focus helped secure the CIO Favorite award at Innovation CONNECT CIO Technology Day. The award is given to the company in which CIO attendees would most want to invest if they had significant capital to fund a startup.

Addressing the gap in security inside the firewall and outside the firewall was of particular interest at the forum, which features 30 companies selected from over 200 startups. These entrepreneurs present to an audience of CIOs, who chose which presentations to watch based on their interests. With a presentation about managing the exposures created by digital initiatives such as cloud migrations, RiskIQ CEO Lou Manousos had one of the biggest audiences of the day.

In his pitch, Lou explained RiskIQ's unique value in helping businesses understand their attack surface as they grow their digital presence. He demonstrated that RiskIQ's global discovery platform, which contains data sets built from crawling the internet for over a decade, is a unique value proposition. The audience quickly realized that RiskIQ is an essential tool in addressing cyber security risk in a quickly evolving cyberthreat landscape.

Continue Reading
External Threat Management Magecart

The Consumer Guide to Shopping Safely in the Age of Magecart

For the last ten years, the e-commerce industry has been battling a stealthy enemy in digital web skimming. Dubbed Magecart by RiskIQ when we first reported on the threat, these groups of cybercriminals have been intercepting credit card information from users making purchases online by breaching websites and injecting their Javascript web skimmers on checkout pages. Just like a physical web skimmer a real-world criminal might put on an ATM or gas pump, these digital skimmers intercept credit card numbers, expirations dates, and CVV numbers when a consumer purchases something online. It then exfiltrates that data to an attacker-owned server to be used by the hacker or sold on the dark web.

From small shops to giant household names like Newegg, Ticketmaster, and British Airways, these attacks have affected thousands of sites, and potentially millions of consumers, all without virtually anyone knowing. The most significant factor in Magecart's success is that most site owners lack visibility into the code running on their site. As a result, the average Magecart skimmer lasts over two weeks, with many lasting much longer than that. 

While the onus is very squarely on businesses to protect their customers by increasing their visibility into the code running on their websites, Magecart is only growing more prevalent. In the meantime, consumers can take precautions to avoid being victimized and having their credit card information feed this criminal enterprise. 

Yonathan Klijsnma, RiskIQ's Head Threat Researcher and the leading expert on Magecart, offers five tips you can take as an online shopper to stay safe.

Check the reputation

Continue Reading
External Threat Management

The Top 5 Priorities for Digital Attack Surface Management

It seems a cybersecurity team's work is never done. 

Whether they originate within a company's network or outside of it, cybersecurity experts need to prevent known vulnerabilities from becoming exploited resulting in a breach as well as anticipate unknown cyber threats from compromising the company's security, reputation, and revenue. "Holistic" is the name of the game — from top to bottom these teams need to consider everything that could go wrong, then implement an effective plan to push back against it.

However, it’s hard to take initial action when your scope only includes your internal network, which is the case with far too many cybersecurity teams. That’s why we’ve outlined the top five priorities for all companies to manage their entire digital attack surface for maximum efficacy. The timeless adage tells us that a journey of a thousand miles begins with a single step, and it’s no different in this case either.

So while some organizations have developed a mature digital attack surface management program, others are just starting on the journey, evaluating the scope of their program and identifying where to start. For those organizations, it's important not to get overwhelmed when considering the cybersecurity health of your business. Just start here and take action. 

    Continue Reading
    Labs Magecart

    Old Magecart Domains are Being Bought Up for Monetization

    Old Magecart domains are finding new life in subsequent cyber threat campaigns, many of which are entirely unrelated to web skimming. 

    Over the years, we’ve outed many Magecart web-skimming campaigns in reports that denoted IOCs, including malicious domains that cyber attackers used to inject web-skimming JavaScript into browsers or as a destination for the skimmed payment information. Large portions of these malicious domains have been taken up for sinkholing by various parties. However, some of them are kicked offline by the registrar, put on hold, and then eventually released back into the pool of available domains.

    Here’s the catch: when these domains come back online, they retain their call-outs to malicious domains placed on breached websites by cyber attackers, which means they also retain their value to cyber threat actors. Bad guys are taking advantage of these domains coming back up for sale and purchasing them to be once again pressed into service for malicious purposes, whether that be more web skimming or for use in malvertising campaigns.

    Hijacking JavaScript injections

    Many website owners are never aware of an active skimmer threat on their site—RiskIQ found that the average Magecart skimmer stays on a site for over two months, and many stay there indefinitely. The entire lifecycle of these malicious domains—loading JavaScript to an infected website, going offline, and then coming back online again—can pass without the website owner having an inkling that something was wrong. 

    Continue Reading
    External Threat Management

    Even ‘Stealth’ Executives Are at Risk for Serious Security Breaches

    It's near impossible to hide online. No matter how under-the-radar an executive tries to be, it's not just notoriety that attracts attention anymore -- it's their access to wealth, power, and information, which needs excessive security protection.

    In April, it was announced that Facebook CEO Mark Zuckerberg's allotted security budget was $20 million in 2018 -- four times the amount he received for security in 2016. Meanwhile, there are executives like Larry Ellison, whose security spending has declined in recent years, even though his net worth has risen.

    It is flawed logic to think that because a billionaire practices stealth wealth, or "flies under the radar," that he or she is not going to get caught in a hacker's crosshairs. A company's C-suite, leadership teams, and board of directors are all sources of sensitive, privileged, and confidential information. This makes them prime targets for hackers, regardless as to whether the public knows their names, because hackers don't care why you have money -- they just care that you do. All these individuals require just as much security protection from cyber threats.

    CEOs can easily become victims of fraud via business email compromise/email account compromise attacks, which, according to FBI statistics, is now a $12 billion scam. And when private information about these high-net-worth individuals is exposed online, it carries a high degree of risk for that individual, their families, associates, and his or her business and they all equally need to have security protection. This is because even if an executive hides from Forbes' list of the world's billionaires, any of their data in the digital world is fair play. Cybercriminals practice the utmost due diligence to identify targets and exploit their most private details. A cyberattack of surgical precision can happen to anyone at any company.

    Consider the example of Sony. The FBI believes North Korean hackers accessed the company's networks and stole data -- including unreleased movies, financial information, company plans, and personal emails -- before publishing it for the public. The hit to the company's reputation was overwhelming. "Investigation and remediation expenses" related to the hack cost Sony $41 million, according to the Associated Press. And before this scandal, it's likely the exploited Sony employees were household names, yet they still played a critical role in the breach of data.

    Continue Reading
    External Threat Management

    What’s in a Malvertisement? More Magecart and a 186% Spike in Drive-by Delivery

    What's in a malvertisement?

    The answer to that question is always changing because malvertising is ever-evolving. However, a six-month sample of RiskIQ's cyber threat detection data shows a fascinating cross-section of the current malvertising landscape.

    The data shows a 186% increase in cases of drive-by malvertising (malvertisements that don't require a user click) over the previous six months, as well as more instances of malware. Meanwhile, there's been a slight scaling back of phishing and scams, possibly due to client efforts aimed at blocking that behavior and improving the user experience.

    So, what's in a malvertisment? Here's what RiskIQ sees:

    Continue Reading
    External Threat Management

    Executives can be Data-Breached: How Safe is your CEO?

    Extortion, blackmail, data leakage, targeted spearphishing.

    Your organization's leadership are not only prime targets for cyber attackers but also a principal attack vector themselves. Defending your executive team, both online from cyber attacks and physical attacks requires a new approach: acting and thinking like "the bad guys.”

    Cybercriminals constantly try to find and distribute sensitive information about these high-profile, high-net-worth individuals. When they’re familiar with someone’s name, likeness and personal web presence, bad actors can sell information about the super-wealthy, or use it against them in digital attacks. These digital invasions can also translate into disturbing real-world attacks: since 2013, 78,617 firms have been scammed out of more than $12 billion. The bad guys only had to exploit the financial executives at these companies to make it happen. So-called spearphishing and whaling attacks are two ways to do it.

    A spearphishing cyber attack is a maneuver that targets employees with sensitive information via email. The threat actor pretends to be an executive, and often fools the employee. This is because the hacker has more information about the CEO than anyone should, and can, therefore, impersonate them convincingly.

    This makes it easy to fool employees into sending sensitive information to someone who claims to be legit but is actually a malicious actor. In 2016, a Seagate employee emailed income tax data for several employees to a hacker, exposing thousands of people's personal data to a third party.  

    Continue Reading
    Labs Analyst

    A Deeper Look at the Phishing Campaigns Targeting Bellingcat Researchers Investigating Russia

    On July 26th, ThreatConnect published an analysis of a coordinated phishing attack against Bellingcat, an investigative journalism website that specializes in fact-checking and open-source intelligence. Known for their work investigating Russia, Bellingcat researchers were carefully chosen targets, as stated by Bellingcat’s Eliot Higgins on Twitter

    Highly focused, the phishing campaign targeted the digital security of only ten individuals, who have been identified by investigative journalist Christo Grozev. These include some researchers who do not work for Bellingcat but do investigate Russia.

    ProtonMail, the email service used in the phishing attack, published a short statement, which included some fascinating details on the phishing attack from their perspective.


    In this article, we’ll explore a different angle to this campaign by analyzing it from the unique outside-in perspective of RiskIQ. RiskIQ data reveals multiple phishing campaigns involving different tactics beyond the analysis by ThreatConnect. 

    Continue Reading