Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Take a Look Inside Magecart
Magecart operatives either breach sites directly or via supply chain attacks. Supply chain attacks target third-parties that supply code to websites. Suppliers can include vendors that integrate with sites to add or improve site functionality or cloud resources from which websites pull code, such as Amazon S3 Buckets. These third-parties integrate with thousands of websites, so when one supplier is compromised, Magecart has effectively breached thousands of sites at once.
Learn About Malicious Inject Types
Read the Datasheet
The attackers were also aware that the British Airways mobile app used much of the same functionality as the web app and that breaching the website would also grant them access to the app. Many of these 380,000 victims were mobile app users.
RiskIQ research revealed how some Magecart actors targeting e-commerce sites cash-out by reshipping items purchased with stolen cards via a physical reshipping company operating with mules in the U.S.
By pivoting on a domain related to known Magecart activity in RiskIQ PassiveTotal, RiskIQ found that the server behind its IP address linked to a reshipping company website falsely advertised as a freight/logistics provider. Magecart operatives recruit these mules false employment ads on Russian job websites for U.S.-based job seekers under the pretense of “transport agents.” These mules receive shipments of electronics and other goods bought with stolen credit cards to ship to an address in Eastern Europe.
This technique is similar to more traditional schemes involving money mules, but rather than a direct transfer of funds, the actors behind Magecart transfer funds into higher-priced goods. These goods can be shipped across borders without suspicion, then sold for a hefty profit.
RiskIQ has reported extensively on Magecart and will continue to report on the threat as it evolves. You can see your full Magecart library here.