MageCart Timeline of Malicious Activity


#1

Introduction

MageCart is a particularly interesting threat group because of the sheer amount of sites, approximately 100,000, they have either compromised or successfully skimmed card credentials from since being first identified in 2015. The name MageCart refers to multiple groups, according to RiskIQ. It appears that MageCart is a collective term used to track payment information-stealing activity from at least 12 separate groups. Researchers also point out that Group 9 was interfering Group 3’s skimmer by manipulating the last credit or debit card number, which appears to indicate that MageCart is indeed an umbrella term used to track malicious activity. It may be difficult for individuals to determine separate groups because some of the groups use similar and common data-stealing methods, however, RiskIQ does note their methodology in their joint paper with Flashpoint on how they identify the different groups.[1]


Figure 1 - Timeline of Prominent MageCart Malicious Activity with Length of Each Compromise

Analysis

Only a few sources, such as RiskIQ and Flashpoint, or media outlets discussing the researchers’ work, differentiate the groups into their own categories; whilst other sources attribute this activity to a singular MageCart, likely in efforts to track this kind of malicious activity without specifying which MageCart group is responsible. This potentially muddles the assertion as to what MageCart actually is and how it is structured.

Some of the MageCart groups utilise a fairly similar skimmer script that is injected into the checkout pages, or directly into a webpage that searches for keywords such as “checkout,” of ecommerce sites which may mean that several groups are either one and the same, are communicating and sharing information, or perhaps the groups have access to the same tools. Especially since Group 1 and 2 were observed as distinct groups initially in 2015 and 2016. The researchers merged Group 1 and 2 because of identical phishing and typosquatting tactics which resulted in naming the group MageCart.[2] This umbrella term is now used to refer to multiple groups’ malicious activity.

As of this writing, Group 1 and 2 have not been mentioned recently in open sources, which may indicate that the groups are either defunct, or have undergone an evolution and sophistication development that is often observed in threat groups. The evolution of Group 1 and 2’s tactics such as typosquatting domains, their reshipping scheme, to injecting skimmer script into vulnerable sites, could be an example of the natural progression of a single MageCart group. This maturation could be applicable to all of the groups (1 through 12), and perhaps the group is attempting to make attribution more difficult by making it appear that are multiple groups. Although, for some groups, there is more evidence to suggest that they are different entities as it has been observed that Group 9 was attacking Group 3 in a previous campaign.[3]

MageCart is a very active and prominent threat that exemplifies the tenacity of financially-motivated threat actors. Some of the groups that share more similarities than differences may require more research and observation to ascertain whether they are more likely to be the same group testing out various techniques or are distinct groups. The consistent onslaught targeting ecommerce websites, combined with different obfuscation techniques and JavaScript skimmers, can make MageCart difficult to defend against. They show the numerous weaknesses that thousands of websites contain. Injected skimmers are on sites approximately 12.7 days before detection, and at least 20% of infected sites are reinfected by MageCart within 10.5 days following clean up.[4] Additional research on MageCart to determine how they are able to initially compromise such a significant amount of sites in addition to improving our understanding of their goals, methods, and capabilities will better inform online merchants on the risks and how to secure their sites for consumers.

2015

  • Group 1 is observed[5]
    • Group 2 associated to Group 1 in 2016[6]

2016

  • Group 3 is identified[7]
  • Group 5 is identified[8]
    • December 2016 - April 2017 Conversions on Demand compromise[9]

2017

  • Group 4 is identified[10]
  • April 2017 - July 2017 SAS Net Reviews compromise (Group 5)[11]
  • May 2017 - July 2018 Clarity Connect compromise (Group 5)[12]
  • September 2017: Group 4 begins to “fingerprint” visitors who appear to be attempting to analyse MageCart’s skimmer script[13]
    • Checked if the process slowed down (indicates static analysis) and if the browser’s developer tools tab was open
  • December 2017 - June 2018 SociaPlus compromise (Group 5)[14]
    • The 4th company affected from this supply chain compromise was TicketMaster
    • December 2017 - July 2018 Annex Cloud compromise [15]
      • Stein Mart used this company; disclosed the breach on September 14, 2018[16]

2018

  • January 2018 - September 2018 Shopback Brazil compromise (Group 5)[17]
  • February 2018 - June 2018 Inbenta compromise (Group 5)[18]
  • May 2018 - September 2018 companyBE compromise (Group 5)[19]
  • June 2018 - August 2018 Pushassist compromise (Group 5)[20]
  • July 2018 - August 2018 Flashtalking compromise (Group 5)[21]
    • Increased the group’s reach for potential victims since the company both provided content for ads as well as serve ads[22]
      • Not effective in successfully obtaining card credentials because advertisements were not active on checkout pages for sites
  • August 2018 - September 2018 Feedify compromise (Group 5)[23]
  • Group 6 is identified[24]
    • August 13 - September 18 2018 Newegg compromise[25]
      • Registered domain and new IP dropped the skimmer on the backend
      • Stolen card data for sale on dumps/underground market on September 27, 2018[26]
    • August 21 - September 5, 2018 British Airways compromise[27]
      • Mobile application and website compromised
        • Anyone who made bookings or paid for changes to bookings in that timeframe affected[28]
      • Data observed on sale on dump sites/underground markets on September 13[29]
  • June 23 through November 13, 2018 g_analytics incident[30]
    • MageCart typosquatted recognisable domains to make malicious activity appear legitimate while stealing payment data from websites injected with malicious JavaScript
  • OXO International compromised between 2016 and late 2018[31]
  • September 15 - 17 2018 Shopper Approved compromise (Group 5)[32]
    • Forgot to obfuscate their skimmer script for 25 minutes on the 15th
  • November - Group 9 is identified[33]
    • Malwarebytes researchers discovered that the website owned by retailer “Umbro Brazil” was compromised by two MageCart skimming scripts
    • Researchers found that one of the skimmers would manipulate the credit or debit card number from the other skimmer by changing the final card number to a random digit[34]
    • RiskIQ researcher Yonathan Klinsma claims that this activity is MageCart group 9 fighting with MageCart Group 3[35]
  • December - Group 8 is identified[36]
    • Symantec researchers discovered a formjacking (use of JavaScript code to steal payment data) campaign that RiskIQ researcher Yonathon Kiljnsma attributed to MageCart group 8
    • The campaign targeted a website owned unnamed retail store located in Paris with injected JavaScript created to steal payment data and send it back to a typosquatted domain (google-analytics[.]org)
  • December - Group 11 is identified[37]
    • Compromised multiple websites operated by the online optical retailer, “Vision Direct UK” from November 3 through November 8, 2018 to steal data entered onto the affected sites

2019

  • January - Group 12 is identified[38]
    • Group 12 compromised a JavaScript library owned by French advertising company “Adverline”
    • The library was injected with malicious code to search for keywords related to online shopping and subsequently skim the payment data entered on an affected site

Endnotes

[1] Jordan Herman, Yonathan Klijnsma, and Vitali Kremez, “Inside Magecart: Profiling the Groups Behind the Front Page Credit Card Breaches and the Criminal Underworld that Harbors Them,” RiskIQ and Flashpoint, accessed December 3, 2018, published November 2018, https://cdn.riskiq.com/wp-content/uploads/2018/11/RiskIQ-Flashpoint-Inside-MageCart-Report.pdf?_ga=2.97588895.1871284311.1542273938-1172729395.1542273938, 7.

[2] Jordan Herman, Yonathan Klijnsma, and Vitali Kremez, “Inside Magecart: Profiling the Groups Behind the Front Page Credit Card Breaches and the Criminal Underworld that Harbors Them,” RiskIQ and Flashpoint, 8-10.

[3] Catalin Cimpanu, “Magecart group hilariously sabotages competitor,” ZDNet, accessed January 17, 2019, published November 20, 2018, https://www.zdnet.com/article/magecart-group-hilariously-sabotages-competitor/.

[4] Willem De Groot, “Merchants Struggle with MageCart Reinfections,” GitLab, accessed December 03 2018, Published November 12 2018, https://gwillem.gitlab.io/2018/11/12/merchants-struggle-with-magecart-reinfections/.

[5] Jordan Herman, Yonathan Klijnsma, and Vitali Kremez, “Inside Magecart: Profiling the Groups Behind the Front Page Credit Card Breaches and the Criminal Underworld that Harbors Them,” RiskIQ and Flashpoint, 8-10.

[6] Ibid.

[7] Ibid., 11-12.

[8] Ibid., 19-21.

[9] Ibid., 22-23.

[10] Ibid., 13-18.

[11] Ibid., 25-26.

[12] Ibid., 28.

[13] Ibid., 13-18.

[14] Ibid., 26.

[15] Ibid., 24.

[16] Ibid., 24.

[17] Ibid., 28.

[18] Ibid., 27.

[19] Ibid., 29.

[20] Ibid., 27.

[21] Ibid., 25

[22] Ibid., 26.

[23] Ibid., 29.

[24] Ibid., 32-34.

[25] Ibid., 33-34.

[26] Ibid., 34.

[27] Yonathan Klijnsma, “Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims,” RiskIQ, accessed January 17, 2019, published September 11, 2018, https://www.riskiq.com/blog/labs/magecart-british-airways-breach/.

[28] Ibid.

[29] Jordan Herman, Yonathan Klijnsma, and Vitali Kremez, “Inside Magecart,” RiskIQ and Flashpoint, 33.

[30] Anomali Labs, “Is Magecart Hcecking Out Your Secure Online Transactions,” Anomali Blog, accessed January 15, 2019, published November 21, 2018, https://www.anomali.com/blog/is-magecart-checking-out-your-secure-online-transactions.

[31] Lawrence Abrams, “OXO Breach Involved MageCart Attack That Targeted Customer Data,” BleepingComputer, accessed January 17 2019, published January 7, 2019, https://www.bleepingcomputer.com/news/security/oxo-breach-involved-magecart-attack-that-targeted-customer-data/.

[32] Jordan Herman, Yonathan Klijnsma, and Vitali Kremez, “Inside Magecart: Profiling the Groups Behind the Front Page Credit Card Breaches and the Criminal Underworld that Harbors Them,” RiskIQ and Flashpoint, 30-31.

[33] James Walker, “Criminal turf war may be brewing after Magecart double whammy,” The Daily Swig, accessed January 17, 2019, published November 23, 2018, https://portswigger.net/daily-swig/criminal-turf-war-may-be-brewing-after-magecart-double-whammy.

[34] Jérôme Segura, “Web skimmers compete in Umbro Brasil hack,” Malwarebytes Blog, accessed January 17, 2019, published November 20, 2018, https://blog.malwarebytes.com/threat-analysis/2018/11/web-skimmers-compete-umbro-brasil-hack/.

[35] Catalin Cimpanu, “Magecart group hilariously sabotages competitor, “ ZDNet, accessed January 17, 2019, published November 20, 2018, https://www.zdnet.com/article/magecart-group-hilariously-sabotages-competitor/.

[36] Siddhesh Chandrayan, “Formjacking: Targeting Popular Stores Near You,” Symantec Blog, accessed January 17, 2019, published December 5, 2018, https://www.symantec.com/blogs/threat-intelligence/formjacking-targeting-popular-stores.

[37] Yonathan Klijnsma and Jordan Herman, “In Latest Magecart Evolution, Group 11 Stole More Than Just Card Data From Vision Direct,” RiskIQ Blog, accessed January 17, 2019, published December 4, 2018, https://www.riskiq.com/blog/labs/magecart-vision-direct/.

[38] Trend Micro Cyber Safety Solutions Team, “New Magecart Attack Delivered Through Compromised Advertising Supply Chain,” Trend Micro Blog, accessed January 16, 2019, published January 16, 2019, https://blog.trendmicro.com/trendlabs-security-intelligence/new-magecart-attack-delivered-through-compromised-advertising-supply-chain/.