Security news that informs and inspires

The Deep, Dark Reach of the Magecart Group

For at least four years, a distributed, sophisticated network of cybercrime groups known collectively as Magecart has been compromising ecommerce sites small and large, as well as payment processors,installing web skimmers to steal confidential information, and raking in a fortune by selling pilfered card numbers on the underground, largely without any repercussions. Although security researchers have been tracking some of the groups since 2015, only recently has the Magecart name begun to ring out, as some elements of the group have hit major targets, including Ticketmaster and Newegg, drawing the attention of several law enforcement agencies and heightened interest in the research community.

In a new collaborative report, researchers from RiskIQ and Flashpoint have laid out the history, organization, technical details, and targeting of the six discrete groups that comprise Magecart. As a whole, Magecart likely ranks among the more successful financially motivated attack groups in recent memory.

And yet, few site owners and even fewer consumers will have ever heard the group’s name.

“Some of the payment processors were aware of them, because they see the fraud alerts when cards are hit. But when we first started publishing about them in 2015, no one knew who they were,” said Yonathan Klijnsma, head of threat research at RiskIQ, who has been tracking the Magecart group for several years.

“But it wasn’t until Ticketmaster was hit that it became a big problem.”

In June, Ticketmaster UK disclosed a breach that affected some of its customers who bought tickets online between February and late June. In most of the breaches associated with Magecart, the attackers modify a script on the target site and add some code that grabs card information from form submissions.

“The original Magecart skimmer was comprised of javascript embedded into e-commerce pages. Whenever card data was entered into a form, the skimmer copied the form and sent the stolen card data to a drop server. In this skimmer version, the drop server was the same as the one serving the skimmer. Though it has evolved over the years, tailored by other groups to better fit their needs, the basic elements of the skimmer are still in use,” the report says.

The first group, known as Group 1 and 2, uses automated tools to attack sites and install the skimmer code and has been operating in some capacity since 2014, Klijnsma said. The group began by running a reshipping scam, a common cybercrime-adjacent scheme that involves criminals buying expensive items with stolen card numbers and then using unwitting mules to take delivery of the goods and reship them to the criminals.

That scheme expanded into attacks on sites running on the the Magento ecommerce platform and later blossomed into the more sophisticated, diversified web skimming operation that’s humming along today.

“We saw the infrastructure set up as early as 2014 and they would breach Magento sites and modify the PHP code to install the skimmer. But they would make mistakes,” Klijnsma said. “Then they moved a JavaScript version, which is more lightweight and not as impactful on the site. We saw them make small mistakes, but they learned. We saw them figuring out how to do all of this.”

The original Magecart group was using a codebase for its skimmer that was seen in use by other groups, as well. Since then, the skimmer hasn’t changed much, because it just works. There’s no reason to mess with something that’s printing money. The packages the various Magecart groups are using are prebuilt, but they may have small variations, depending upon the target.

"We saw them make small mistakes, but they learned. We saw them figuring out how to do all of this.”

“They don’t care much about the skimmer. They just want it to work and it works at mass scale. Their theory is one compromise for many victims,” Klijnsma said.

Which is where the targeting of payment processors and shopping cart providers and other third parties comes in. Hitting one of those targets is a force multiplier for Magecart. There are dozens and dozens of companies that provide analytics and other tools that run on millions of sites across the web, and if Magecart is able to compromise one of those, the effects can be devastating.

The various Magecart operational groups have different specialties and targets. The report from RiskIQ and Flashpoint shows that each group makes small modifications to the main skimmer, uses separate IP address pools, and goes after different sets of targets. And they all operate separate drop servers and infrastructure to handle the data they’re exfiltrating. In most case, though, the groups sell the credit and debit card numbers they steal on underground markets.

Though the Magecart groups haven’t garnered as much public attention as some of the high-profile APT teams, the operators know that security researchers are onto them and have begun deploying countermeasures.

“In September, we noticed Group 4 start doing something fascinating: fingerprinting visitors to find people who might be analyzing its skimmer. This fingerprinter was injected at the bottom of the benign script normally served as a decoy until a shopper hits the payment page,” the report says.

The research community isn't’t the only one paying attention, either. Law enforcement agencies in the United States and abroad are following Magecart’s activities closely.

“Law enforcement agencies are very aware of them and they have taken a very serious approach to targeting those groups,” said Vitali Kremez, director of research at Flashpoint. “Both U.S. and international law enforcement are heavily involved.”