How does Magecart work?
Magecart operatives either breach sites directly or via supply chain attacks. Supply chain attacks target third-parties that supply code to websites. Suppliers can include vendors that integrate with sites to add or improve site functionality or cloud resources from which websites pull code, such as Amazon S3 Buckets. These third-parties integrate with thousands of websites, so when one supplier is compromised, Magecart has effectively breached thousands of sites at once.
What's in a Browser Threat?
Who does Magecart Target?
Notable Magecart Attacks
Magecart & Ticketmaster
On June 27th, 2018, Ticketmaster made public they had been compromised, with actors stealing payment information from the company’s various websites. RiskIQ discovered the breach was a result of Magecart operatives placing skimmers on Ticketmaster checkout pages through the compromise of a third-party functionality supplier known as Inbenta. Overall, the breach of Inbenta affected over 800 e-commerce sites around the world.
Magecart & British Airways
On September 6th, 2018, British Airways announced it had suffered a breach of its website and mobile app, resulting in the theft of payment data of 380,000 customers. RiskIQ researchers traced the breach to Magecart.
The attackers were also aware that the British Airways mobile app used much of the same functionality as the web app and that breaching the website would also grant them access to the app. Many of these 380,000 victims were mobile app users.
Magecart & Amazon S3 Buckets
The second-largest spike in Magecart detections occurred in July when RiskIQ announced that the scale of a mass compromise of third-party web suppliers by a Magecart group was much larger than previously reported. The actors behind these compromises automated the process of compromising websites with skimmers by actively scanning for misconfigured Amazon S3 buckets, managing to compromise a vast collection of S3 buckets to impact well over 17,000 domains. This list includes websites in the top 2,000 of Alexa rankings.RiskIQ has been monitoring the compromise of S3 buckets since the beginning of the campaign, which started in early April 2019.
Magecart & Magento
Magecart will always be intrinsically connected to one program in particular: Magento. When we first wrote about Magecart back in 2016, Magento was the primary third-party shopping software targeted, inspiring the now-infamous name, which is a combination of “Magento” and “shopping cart.” To this day, third-party shopping platforms such as Magento and OpenCart, which fuel an enormous portion of e-commerce, are the lifeblood of many Magecart groups.
Monetization Through Reshipping Schemes
RiskIQ research revealed how some Magecart actors targeting e-commerce sites cash-out by reshipping items purchased with stolen cards via a physical reshipping company operating with mules in the U.S.
By pivoting on a domain related to known Magecart activity in RiskIQ PassiveTotal, RiskIQ found that the server behind its IP address linked to a reshipping company website falsely advertised as a freight/logistics provider. Magecart operatives recruit these mules false employment ads on Russian job websites for U.S.-based job seekers under the pretense of “transport agents.” These mules receive shipments of electronics and other goods bought with stolen credit cards to ship to an address in Eastern Europe.
This technique is similar to more traditional schemes involving money mules, but rather than a direct transfer of funds, the actors behind Magecart transfer funds into higher-priced goods. These goods can be shipped across borders without suspicion, then sold for a hefty profit.
Magecart Group 12’s Latest: Actors Behind Cyberattacks on Olympics Ticket Re-sellers Deftly Swapped Domains to Continue Campaign
A recent blog post by Jacob Pimental and Max Kersten highlighted Magecart activity targeting ticket re-selling websites for the 2020 Olympics and EUFA Euro 2020, olympicticket...
The Magecart Seal of Approval: Cybercriminal Card-Skimming Group Executes Scaled Supply Chain Attack on Shopper Approved
Over the past several months, we’ve published four reports on the digital credit card-skimming activities of Magecart—mainly regarding significant breaches like Ticketmast...