A joint report released today by cyber-security firms RiskIQ and Flashpoint provides a 60-page deep technical dive into the activities of several cyber-criminal groups that have been active in the past three years hacking online stores to secretly log and steal payment card details entered inside checkout forms.
The report refers to these hacks and cyber-criminal groups using the term Magecart.
For the cyber-security experts who followed these hacks from their beginnings, this might be confusing, because, initially, the term was used to describe the malware deployed by a hacking group in the first attacks detected back in 2016.
ZDNet: Black Friday 2018 deals: Business Bargain Hunter's top picks | Cyber Monday 2018 deals: Business Bargain Hunter's top picks
Since then, the name Magecart has evolved to become an umbrella term used to describe the activities of at least seven hacking groups, all who appear to have taken inspiration from the initial Magecart campaign, and have deployed similar malware in similarly-orchestrated attacks, in an effort to replicate the success of the initial Magecart group.
All these hacks usually follow a well-established pattern. The first step is for hackers to gain access to an online store's backend.
Initial Magecart attacks targeted Magento stores. Hackers used automated scanners to search the Internet for Magento stores and used vulnerabilities in the Magento CMS or its plugins to gain an initial foothold on infected systems.
Hackers would then modify the site's source code, making the hacked site load a piece of JavaScript code that would watch the payment form on checkout pages for new data entered by users.
The malicious script --which initially received the name of Magecart malware-- would collect all data entered by a user inside these forms and later send it to a remote server under the attacker's control.
But Magento stores aren't the only ones that have been hacked, and researchers have also reported that groups have also started expanding their focus to other online e-commerce platforms besides Magento.
Currently, Magecart groups aren't limited by the store's underlying platform when carrying out their hacks. Magecart attacks have been observed on all sorts of stores from Magento to PrestaShop, and from OpenCart to custom-coded platforms.
Furthermore, experts also observed some groups not going after the shops themselves, but after third-party services loaded on those shops. This includes live chat widgets, customer support rating widgets, and others.
Hackers compromise these services and hide their payment card skimming code inside the JavaScript code loaded via these widgets. This is how most of the big Magecart hacks have happened lately, such as the recent compromises at Ticketmaster, Feedify, ABS-CBN, and others.
In addition, experts also believe that besides hacking stores or third-party service providers, some of Magecart groups may be supplementing their portfolios by renting access to backdoored sites that contain e-commerce modules.
For example, online marketplaces like MagBO, or XMPP spam like the one below, provide hackers with easy opportunities to find additional platforms that can be infected with credit card skimming malware or can be used as a delivery method as part of supply-chain attacks.
Some of these underground hacking forums that advertise access to hacked forums are also used to sell skimmers, the code that's added to hacked sites and which performs the actual card data logging and exfiltration.
The prices for these skimmers can vary from $250 to $5,000, depending on the skimmer and its additional services. The most expensive skimmers are written in pure JavaScript, have their own backends, and can show statistics in real-time.
But just stealing payment card data is not enough, as groups also need to monetize it. The easiest way to convert payment card details recorded on online stores is to put it up for sale on carding forums.
Carding forums are special dark or deep web forums where cyber-criminals sell credit card data, either obtained via classic ATM skimming, by hacking banks, payment providers, and more recently, from Magecart-type attacks.
The people who buy card data from these sites are other cyber-criminal groups that are specialized in money laundering.
These groups buy expensive products online and then recruit users --also known as money mules-- in the countries where they make the purchases to receive, repackage, and resend the ill-gotten goods to another location.
At this new location, goods are usually sold at very cheap prices, converting the funds from compromised cards into laundered money that can then be split among the money mule group's members.
Right now, RiskIQ says it's tracking at least seven Magecart groups, responsible for hacks on more than 110,000 different shops, according to rough estimations. The groups, and their characteristics are as follows:
Magecart Group 1
Active since: 2015 (possibly 2014) [1, 2]
Hacked stores: 2,500+
High-profile victims: National Republican Senate Committee, Guess (Australia), and Everlast.
Details:
Magecart Group 2
Active since: Late 2016, when it split from Group 1
Money mules: Used fake reshipping companies to ship ill-gotten products.
Details: Shares modus operandi with Group 1.
Magecart Group 3
Active since: 2016
Hacked stores: 800+
Details:
Magecart Group 4
Active since: 2017
Hacked stores: 3,000+
Details:
Magecart Group 5
Active since: 2017
Hacked third-party providers: 12
Impacted number of stores: 100,000+
Details:
List of hacked third-party providers:
Magecart Group 6:
Active since: 2018
Hacked stores: 2
Victims: British Airways and Newegg
Details:
Magecart Group 7:
Active since: 2018
Hacked stores: 100
Details:
RiskIQ, the company that's been tracking most of these attacks since 2015, says it's currently working with AbuseCH and the Shadowserver Foundation to take down the server infrastructure of most of these groups.
Customers worried that an online store might be infected can always disable JavaScript inside their browser before making a payment. Since the card skimming code is written in JavaScript, this will prevent a standard Magecart attack.
Most modern e-commerce platforms and payments processors are designed to work with JavaScript disabled, meaning you'll still be able to buy the products you want.