Magecart group hilariously sabotages competitor

...but it's still stealing your card data.

fight.jpg

Stealing payment card details from online stores --also known as web card data skimming or Magecart attacks-- is starting to look like the next big thing in online cybercrime, and there's no clearer indicator that the Magecart scene is getting crowded than discovering that some groups are now sabotaging each other's code.

This is exactly what's happening right now, according to two reports published today by Jérôme Segura of Malwarebytes and independent Dutch security researcher Willem de Groot.

Both researchers report that one of the many Magecart groups has now deployed code that sabotages the skimmer of a fellow rival Magecart gang.

Since it's hard to keep track of these groups, for this article, we'll use the codenames given to these two groups by Yonathan Klijnsma, a security researcher at RiskIQ, and one of the leading experts in Magecart infections.

According to Klijnsma, the group that actively tampers with its rival's code is Group 9, a relatively new actor on the Magecart scene, and the group that's the "victim" in this attack is Group 3, a group that's been known to be active primarily in South America.

Both Segura and de Groot say they've discovered that Group 9 has added special code to their card skimmer that's purposely built to look for domains associated with Group 3's operations.

When Group 9's code spots these domains, it doesn't stop those scripts but instead alters the payment card data that Group 3 collects.

Group 9 sneakily intervenes to replace the last digit of a payment card number with a digit they generated at random, and by doing so, compromising the validity of the data that Group 3 collects.

magecart-attack-replacing-cc-numbers.png
Image: Malwarebytes

Segura told ZDNet that the reason for this sabotage is that Group 9 wants to ruin Group 3's reputation on underground cybercrime forums where Group 3 might attempt to sell the card data they've collected, not knowing that some of the card numbers have been slightly altered and irrevocably compromised.

"Buyers will eventually realize their purchased credit cards are not working and will not trust that seller again," Segura said.

Currently, Segura has spotted both Group 3 and Group 9 skimmers on the online stores of sportswear seller Umbro Brazil, while de Groot has spotted multiple skimmers on the Bliv.com cosmetics shop.

Web card skimming to get worse

Segura told ZDNet that such attacks are already quite common and are more likely to intensify with time, as web-based card skimming will become popular among cybercriminal gangs.

"Web skimmers are one of the most common website infections we see in our daily web crawls," Segura told us. "Now that skimming kits are readily available, the door is open to any threat actor, no matter their level of sophistication, to get in the game."

"I think we're going to have issues attributing attacks to 'Magecart' because there are so many different threat actors behind this moniker. What's important is to recognize that skimmers are a huge problem that has been underestimated for too long," Segura added.

Not the first time

On a side note, this incident between competing Magecart groups sabotaging each other's operations isn't the first time that malware groups have tried to undermine rivals.

Cryptocurrency miners discovered by Minerva Labs and ISC Sans have engaged in similar tactics this year, where they killed the processes of rival crypto-mining malware.

Back in 2015, the Shifu banking trojan also acted in a similar way to kill the processes of rival banking trojans.

Furthermore, a large number of current IoT malware families also kill the processes of rival malware strains, and sometimes even close the infection vector (SSH or Telnet ports) after they gain access to a victim to make sure they won't be interrupted by rival botnets.

Segura, too, has seen this malware sabotage trend in the past. "We've seen server-side infections where attackers will close the vulnerability that they've used so that nobody else gets in," he said.

"It's particularly interesting to see the battle of JavaScript on the client-side, and in this case, it goes beyond denying others access," Segura told ZDNet. "Here we see a threat group deliberately poisoning the data, which has great repercussions in terms of creditability in underground marketplaces."

Related cyber-security coverage: