INSUBCONTINENT EXCLUSIVE:
There have been few hacker groups that have been responsible for as many headlines this year as Magecart.
You might not know the name, but
you probably haven&tmissed their work — highly targeted credit card skimming attacks, hitting Ticketmaster and British Airways, as well as
consumer electronics giant Newegg and likely many more sites that have been silently hacked to scrape consumer credit card data at the
checkout.
Nobody knows those attacks better than Yonathan Klijnsma, a threat researcher at security firm RiskIQ, who been tracking Magecart
for more than a year.
In a new report published with risk intelligence firm Flashpoint, Klijnsma has exposed the inner workings of the
hackers — a group of groups, rather than a single entity — all with different modus operandi and targets, which he described as a
&thriving criminal underworld that has operated in the shadows for years.&
&Magecart is only now becoming a household name,& the researcher
said.
Chief among Klijnsma findings is that there are at least six distinct groups operating Magecart skimming scams, each taking their own
Group 1 began as early as 2014 by targeting thousands of sites with attacks and single-use servers for hosting the malware and storing the
collected data, while Group 2 and Group 3 expanded their reach and honed their attacks to hook their card skimming malware on a greater
range of payment providers
Group 4 took the bulk of the victims — more than 3,000 sites hacked — with its scattergun approach, grabbing as many cards as it could
from as many sites as it could.
The groups have been going where the money is — breaking into websites using known server vulnerabilities,
injecting card payment skimming code and siphoning off credit card numbers, names and security codes on an attacker-controlled server, often
for months at a time.
If they get caught, they just move on to their next victim.
Magecart most high-profile victims were the work of Group
5, which carried out supply chain attacks by hitting third-party code providers — like customer service chat boxes — that are installed
on thousands of sites and carrying the group malware with it, expanding the group reach on a massive scale
It was Group 5 that RiskIQ blames on targeting many of Ticketmaster global sites
Group 6, meanwhile, also began highly selective attacks that only targeted major players — including British Airways and Newegg.
Between
the half-dozen groups that RiskIQ has identified so far, at least 6,400 sites have been affected.
And that just the start.
Once a steady
stream of credit card numbers come in, the hackers will sell the data — often on the dark web, making it easier to hide their activities
from the law.
Magecart credit card skimming cycle
(Image: RiskIQ/Flashpoint)
Klijnsma warned that there will be many more card skimming groups and many more websites affected — larger and
lesser-known sites alike that have yet to be discovered.
Case in point: Earlier this year, little-known New Jersey-based electronics
retailer TechRabbit disclosed a data breach
Like so many other sites, it went largely unnoticed — except, upon closer inspection, the breach had all the hallmarks of Magecart
Willem de Groot, a security researcher cited in the Magecart report, confirmed on Twitter — and independently verified by TechCrunch —
that the site had been hit again months later.
We reached out to the company chief executive, Joel Lerner, to inform him of the card
&Who is TechCruch [sic] and what do you know about TechRabbit& he said.
After several emails back and forth, including a screenshot sample
of the malware on the site checkout pages, he expressed concern but stopped responding.
Klijnsma conceded that although his research has
given an unprecedented insight into how the Magecart groups work, &that doesn&t mean we will be able to spot every instance and every
There are likely many more sites affected by card skimming malware — as of yet undetected
&We&d like to call on the industry and everyone who encounters these attacks to help take it down,& he said.
To combat the threat from
Magecart, RiskIQ and other cybersecurity firms can sinkhole domains associated with Magecart infrastructure, pulling them offline and out of
operation.
Klijnsma said it requires a layered approach — like website owners improving their security with security patches and
&You don&t catch this with just one security control but rather you stack them and try to catch it at at least one of these steps,& he
said.
&Basically any vector is game among these groups with some groups utilizing all of them to reach their goal of breaching a target,& he
said.
Hackers stole customer credit cards in Newegg data breach
