How Magecart groups are stealing your card details from online stores

A joint report released today by cyber-security firms RiskIQ and Flashpoint provides a 60-page deep technical dive into the activities of several cyber-criminal groups that have been active in the past three years hacking online stores to secretly log and steal payment card details entered inside checkout forms.

Security

The report refers to these hacks and cyber-criminal groups using the term Magecart.

For the cyber-security experts who followed these hacks from their beginnings, this might be confusing, because, initially, the term was used to describe the malware deployed by a hacking group in the first attacks detected back in 2016.

ZDNet: Black Friday 2018 deals: Business Bargain Hunter's top picks | Cyber Monday 2018 deals: Business Bargain Hunter's top picks

Since then, the name Magecart has evolved to become an umbrella term used to describe the activities of at least seven hacking groups, all who appear to have taken inspiration from the initial Magecart campaign, and have deployed similar malware in similarly-orchestrated attacks, in an effort to replicate the success of the initial Magecart group.

How a Magecart attack takes place

All these hacks usually follow a well-established pattern. The first step is for hackers to gain access to an online store's backend.

Initial Magecart attacks targeted Magento stores. Hackers used automated scanners to search the Internet for Magento stores and used vulnerabilities in the Magento CMS or its plugins to gain an initial foothold on infected systems.

Hackers would then modify the site's source code, making the hacked site load a piece of JavaScript code that would watch the payment form on checkout pages for new data entered by users.

The malicious script --which initially received the name of Magecart malware-- would collect all data entered by a user inside these forms and later send it to a remote server under the attacker's control.

But Magento stores aren't the only ones that have been hacked, and researchers have also reported that groups have also started expanding their focus to other online e-commerce platforms besides Magento.

Currently, Magecart groups aren't limited by the store's underlying platform when carrying out their hacks. Magecart attacks have been observed on all sorts of stores from Magento to PrestaShop, and from OpenCart to custom-coded platforms.

Furthermore, experts also observed some groups not going after the shops themselves, but after third-party services loaded on those shops. This includes live chat widgets, customer support rating widgets, and others.

Hackers compromise these services and hide their payment card skimming code inside the JavaScript code loaded via these widgets. This is how most of the big Magecart hacks have happened lately, such as the recent compromises at Ticketmaster, Feedify, ABS-CBN, and others.

In addition, experts also believe that besides hacking stores or third-party service providers, some of Magecart groups may be supplementing their portfolios by renting access to backdoored sites that contain e-commerce modules.

For example, online marketplaces like MagBO, or XMPP spam like the one below, provide hackers with easy opportunities to find additional platforms that can be infected with credit card skimming malware or can be used as a delivery method as part of supply-chain attacks.

Some of these underground hacking forums that advertise access to hacked forums are also used to sell skimmers, the code that's added to hacked sites and which performs the actual card data logging and exfiltration.

The prices for these skimmers can vary from $250 to $5,000, depending on the skimmer and its additional services. The most expensive skimmers are written in pure JavaScript, have their own backends, and can show statistics in real-time.

How the groups convert stolen card details into money

But just stealing payment card data is not enough, as groups also need to monetize it. The easiest way to convert payment card details recorded on online stores is to put it up for sale on carding forums.

Carding forums are special dark or deep web forums where cyber-criminals sell credit card data, either obtained via classic ATM skimming, by hacking banks, payment providers, and more recently, from Magecart-type attacks.

The people who buy card data from these sites are other cyber-criminal groups that are specialized in money laundering.

These groups buy expensive products online and then recruit users --also known as money mules-- in the countries where they make the purchases to receive, repackage, and resend the ill-gotten goods to another location.

At this new location, goods are usually sold at very cheap prices, converting the funds from compromised cards into laundered money that can then be split among the money mule group's members.

The Magecart groups

Right now, RiskIQ says it's tracking at least seven Magecart groups, responsible for hacks on more than 110,000 different shops, according to rough estimations. The groups, and their characteristics are as follows:

Magecart Group 1

Active since: 2015 (possibly 2014) [1, 2]

Hacked stores: 2,500+

High-profile victims: National Republican Senate Committee, Guess (Australia), and Everlast.

Details:

The group fooled job seekers in the US into shipping items purchased with stolen credit cards to Eastern Europe where the goods were sold.
Used automated tools to find and compromise sites.
Used generic, rather simplistic skimmer.
Skimmer detects checkout pages based on the browser's URL.

Magecart Group 2

Active since: Late 2016, when it split from Group 1

Money mules: Used fake reshipping companies to ship ill-gotten products.

Details: Shares modus operandi with Group 1.

Magecart Group 3

Active since: 2016

Hacked stores: 800+

Details:

Mass-targets online stores, but stays away from high-end shops.
The group's skimmer and server infrastructure are different from the first two groups.
Skimmer detects checkout pages by looking at the page's source code for checkout forms (not at the browser URL).
Based on form structure, the group appears to target mainly stores and payment processors active in South America.

Magecart Group 4

Active since: 2017

Hacked stores: 3,000+

Details:

RiskIQ assesses that this group might have developed banking trojans before getting into hacking online store. "The skimmer and method of operation have a strong similarity to how banking malware groups operate," researchers said.
Skimmer code is very large, at over 1,500 lines of code.
Skimmer works by showing a fake form on top of the legitimate checkout form.
Skimmer activates based on store page URL if certain terms are found inside it.
Skimmer code contains anti-analysis measures to block security researchers from analyzing it.
The group focuses on compromising as many stores as possible and to get as many card details as possible.
This group likes to hide its malicious domains in plain sight by registering domains mimicking ad providers, analytics providers, victim's domains, etc..

Magecart Group 5

Active since: 2017

Hacked third-party providers: 12

Impacted number of stores: 100,000+

Details:

Group has exclusively gone after third-party service providers.
Their skimmer code has even appeared inside CDNs and online ads.
Typical skimmer code that activates based on URL keywords.

List of hacked third-party providers:

Conversions On Demand (from Dec 2017 to April 2017)
Annex Cloud (from Dec 2017 to Jul 2018)
SAS Net Reviews (dba Verified Reviews) (from Apr 2017 to Jul 2017)
flashtalking (from Jul 2018 to Aug 2018)
SociaPlus (from Dec 2017 to Jun 2018)
Inbenta (from Feb 2018 to Jun 2018)
PushAssist (from Jun 2018 to Aug 2018)
Clarity Connect (from May 2017 to Jul 2018)
ShopBack (from Jan 2018 to May 2018)
CompanyBe (from May 2018 to Sep 2018)
Feedify (from Aug 2018 to Sep 2018) [previous coverage]
Shopper Approved (Sep 2018) [previous coverage]

Magecart Group 6:

Active since: 2018

Hacked stores: 2

Victims: British Airways and Newegg

Details:

Group only goes after high-profile targets that handle a lot of daily payments.
Has a very simple skimmer, compared to other groups. This is because they don't need a one-size-fits-all skimmer, but can fine-tune it for each victim.
Group sells stolen credit cards on a well known dump and credit carding shop.

Magecart Group 7:

Active since: 2018

Hacked stores: 100

Details:

Group doesn't have a well-defined modus operandi other than compromising any e-commerce site it can find.
Does not go for top-tier stores.
Unique server infrastructure, different from all groups.
Uses other hacked sites as proxies for exfiltrating stolen data. This makes it hard for law enforcement to intervene, as they cannot downright take down these hacked sites.
Skimmer added directly on hacked sites, not loaded from third-party servers.
Skimmer exfiltrates payment data in GET requests which are embedded in images.

RiskIQ, the company that's been tracking most of these attacks since 2015, says it's currently working with AbuseCH and the Shadowserver Foundation to take down the server infrastructure of most of these groups.

Customers worried that an online store might be infected can always disable JavaScript inside their browser before making a payment. Since the card skimming code is written in JavaScript, this will prevent a standard Magecart attack.

Most modern e-commerce platforms and payments processors are designed to work with JavaScript disabled, meaning you'll still be able to buy the products you want.