RiskIQ Analysis of Ant and Cockroach Skimmer Reveals Highly Connected Magecart Ecosystem
November 11, 2020SAN FRANCISCO, NOVEMBER 11, 2020 – RiskIQ, the global leader in attack surface management and security intelligence, has released an analysis of the ‘Ant and Cockroach’ digital credit card skimmer that implicates Magecart Group 12 in September's large-scale attack on e-commerce websites running Magento 1 and dozens of other high-profile skimming incidents and malicious activity.
The analysis identifies the Ant and Cockroach skimmer as a common denominator in the September attacks on Magento 1 and threat activity recently reported by RiskIQ, Malwarebytes, Sucuri, Sansec, and several independent researchers.
RiskIQ’s research reveals that since August of 2019, the skimmer most often used by Magecart Group 12 has been the Ant and Cockroach skimmer. However, slight tweaks to the skimmer and innovative obfuscation techniques have, until now, kept parallels between many of the group’s attacks hidden.
These patterns include the presence of unique code that runs checks against the victim URL to ensure it’s on a checkout page and that developer tools are not enabled, the prevalence of a particular Russian hosting provider among threat infrastructure, and the distinctive “radix” obfuscation technique.
“Coupling OSINT with RiskIQ data and analysis allows us to see a throughline connecting all this Magecart activity via Group 12’s favorite tool and techniques,” said RiskIQ Threat Researcher Jordan Herman. “Our analysis even captured other malicious injections used by the group, such as coin miners and malicious redirects. Magecart Group 12’s activity is diverse and prolific.”
RiskIQ first profiled Magecart Group 12 in 2018 in a report analyzing a supply chain attack that affected hundreds of sites by compromising Adverline, a digital advertising platform. Again, in 2019, RiskIQ detailed how the group deftly swapped domains to avoid takedowns that would disrupt its attack.
The report includes insights such as:
- Detailed analysis of the Ant and Cockroach skimmer and its many variations, including how a cybersecurity practitioner can identify it in their environment.
- An analysis of Group 12’s obfuscation techniques, including the distinctive "radix" obfuscation.
- Details of Magecart Group 12’s recent activity, including how it ties into RiskIQ's past analysis of the group, and activity surfaced by Securi, Malwarebytes, and more.
- Comprehensive list of Magecart infrastructure uncovered by RiskIQ throughout its thorough investigation.
RiskIQ is a leader in digital attack surface management, providing the most comprehensive discovery, intelligence, and mitigation of threats associated with an organization’s digital presence. With more than 75% of attacks originating outside the firewall, RiskIQ allows enterprises to gain unified insight and control over web, social and mobile exposures. Trusted by thousands of security analysts, security teams, and CISO’s, RiskIQ’s platform combines advanced internet data reconnaissance and analytics to expedite investigations, understand digital attack surfaces, assess risk, and take action to protect the business, brand, and customers. Based in San Francisco, the company is backed by Summit Partners, Battery Ventures, Georgian Partners, and MassMutual Ventures.
© 2020 RiskIQ, Inc. All rights reserved. RiskIQ is a registered trademark of RiskIQ, Inc. in the United States and other countries. All other trademarks contained herein are the property of their respective owners.
Front Lines Media