Magecart expands infrastructure and threatens thousands of sites

At the 29th annual Virus Bulletin 2019 international conference in London in early October, Jordan Herman and Yonathan Klijnsma of RiskIQ made a presentation on the growing threat posed by the cybercriminal group Magecart. According to them, Magecart expands the infrastructure and threatens thousands of sites.

Researchers talked about the skimmer’s average lifespan, new tactics for spreading malicious scripts, and attacks on the supply chain.

“Magecart is a rapidly growing cybercrime syndicate comprised of dozens of subgroups that specialize in cyberattacks involving digital credit card theft. By placing its malicious JavaScript skimmers on online payment forms at a massive scale, Magecart is threatening the ability of consumers worldwide to shop online safely”, — described the threat Jordan Herman and Yonathan Klijnsma.

According to RiskIQ experts, after 10 years of observation, they managed to detect Magecart skimmers about two million times. I alt, since August 2010, the group managed to crack mere end 18 thousand hosts. To manage malware, criminals use 573 domains and about 10 thousand hosts download data from them.

According to RiskIQ, recently, attackers began using banner ads to distribute skimmers. According to the researchers, almost a fifth of all malicious ads on the Internet contain Magecart scripts.

For the first time, RiskIQ specialists noticed the activity of criminals on August 8, 2010, although the Magecart group began to attract attention relatively recently. Typisk, interest in the activities of attackers increased after successful attacks on the supply chain.

One of these attacks was committed against the British Ticketmaster ticket service in the summer of 2018. Criminals have introduced a skimmer through user support software developed by Inbenta Technologies.

Læs også: Gucci botnet infects IoT devices in Europe

Later, a malicious script was found in the products of other suppliers. According to experts, mere end 800 online stores and about ten thousand users suffered from the actions of Magecart.

In April of this year, attackers managed to break into Amazon containers. The criminals scanned the Web in search of incorrectly configured S3 storages with JavaScript files and added a malicious script to them to inject the skimmer. Because of the attack, were compromised 17 thousand domains.

According to researchers, Magecart takes advantage of the fact that many companies often do not consider their own site as an attack vector.

“Often victims are unaware of the change in JavaScript on their site and that malicious code has existed there indefinitely. In the event of attacks on the supply chain, the victim often does not even know that the third-party script is compromised and dangerous”, — the report says.

RiskIQ analysts have estimated that malicious script runs on average for 22 dage. Imidlertid, sometimes a skimmer can remain on the site for years, stealing the data of visitors. Part of the abandoned Magecart domains are found and used by other groups. New owners can continue to steal billing information or, for eksempel, place advertising links on the page and receive income from clicks on them.

Om forfatteren

Valdis Kok

Sikkerhedsingeniør, reverse engineering og memory forensics

Efterlad en kommentar