Deep-dive: The Magecart Collective

The Magecart collective is a myriad of distinct cybercriminal groups which are strategically inserting credit card skimming code on to compromised e-commerce websites, at an unprecedented rate and with frightening success.

Magecart achieved infamy after two data heists from Ticketmaster and British Airways. Hundreds of thousands of customers’ card payment information had been lifted via a few lines of JavaScript code injected onto the pages where customers fill out their credit card numbers. (Figure 1)

Figure 1

Magecart attacks are designed to evade detection systems like a web application firewall  (WAF), antivirus solutions, and traditional firewalls, by executing their inserted code in the browser. This attack works by compromising third-party services, like Amazon Web Services (AWS), shopping cart software, and WordPress plugins among others to insert their code on to the page where customers fill out their credit card information. 

This inserted code is usually written in the development language known as JavaScript. This means that when the user hits enter, after filling out the form, and sends the data to the payment service, but also to the Magecart attackers too. (Figure 2)

Figure 2

Since the data breaches from Ticketmaster, British Airways, and Newegg, cybersecurity firms and IT departments have remained vigilant for such attacks. However, there has been a surge of Magecart activity throughout 2019 and does not appear to be subsiding in 2020. 

The attack on British Airways was a landmark in card skimming history. Around 380,000 customers had their personally identifiable information (PII) and credit card information stolen and sold after making purchases using the BA website or mobile app been August and September 2018. This was achieved via compromising a third-party service used by the BA website and mobile app that was used to develop the checkout page, where customers input their credit card information, including number, expiry date, and CVV, but also their real names and billing addresses - everything you need to defrauded them. Under GDPR legislation, the UK’s ICO issued a whopping $237 million fine (1.5% of their revenue for that year) for that data breach. The RISK IQ researchers who helped identify the attack found that, through cross-examination, the same exact 22 lines of code was also skimming the Newegg eCommerce website and mobile app. Newegg sees about 50 million monthly visitors, mainly from the US, and has a business valued at $2.65 billion. One of the only ways the affected firms started to find out was through multiple banks receiving reports from customers reporting that their cards have been used to make fraudulent purchases. All customers affected has one thing in common - they had recently used their cards on the BA site or mobile app.

Here is a list of other Magecart attacks which have taken place within the last two years:

There are multiple groups that belong to the Magecart collective but all generally employ the same tactics. They target the checkout pages of any websites with significant traffic, compromise sites through third-party services, gain control and maintain persistence, inject malicious code onto the checkout pages, exfiltrate customer payment data to a collection point, and begin the money laundering process.

Now that the groups have learned this is a successful fund generating tactic they are continuously evolving their skimming methods and techniques. Newly found active skimmers often have some detection evasion features like only appearing for users in certain geo-locations (mainly the US) or only being displayed for Windows systems and block Linux OS users. This helps Magecart attackers target strict sets of victims and enables their skimmers to remain on the sites for longer.

Since the Magecart collective was uncovered, security researchers have been trying to prevent and mitigate against web skimming but the groups employ complicated procedures to enable their attacks. This includes changing registrars (where the exfiltration domains are registered), alternating where the C&C servers are hosted (swapping IP addresses), and utilising ‘bulletproof’ hosting (BPH). 

Once a Magecart group successfully begins to collect victim payment data, their sophisticated money laundering network is activated. The stolen payment data is sold on darknet forums and ‘carding’ marketplaces. Once a buyer purchases this data they are free to use where they like. This can include, printing the numbers onto blank card and using these to withdraw funds or buy prepaid gift cards with them. They can also use the stolen cards to for anonymous cryptocurrency transactions). (Figure 3)

Figure 3

Magecart has also been linked to other financial advanced persistent threats (APT) such as Cobalt/Carbanak/FIN7 and several others. The links are made to similar domains, IP addresses, email addresses used to register domains, and strings in the code of other malware families, like several banking Trojans. There is believed to be a dozen Magecart groups which employ similar card skimming tactics. Magecart Group 9 was observed to have hijacked Group 3’s web skimmer and porceded to randomise the payment data which they were stealing for months, so when they came to sell it on the darknet forums, such as ‘Joker’s Stash’, they would have lost all credibility. Magecart Group 4 have been designated responsible for the British Airways and Newegg heists, but Group 5 is known to have compromised over 20,000 different sites via insecure plugins they were all using. 

In the future, the Magecart collective is likely to continue to develop its tactics, techniques, and procedures (TTPs) because the cybercriminal gang are able to earn huge financial rewards, incentivising them to carry on, and until very recently, no Magecart attackers have ever been caught. 

It is the responsibility of the eCommerce site owners to take cybersecurity seriously and protect their customers using their services. This challenging because in this day and age of software development the vetting of 3rd, 4th, and 5th party services may be required. It is also on the onus of the legislators to tighten up data protection laws and set minimum practical, but necessary, security standards.

The savvy online shopper can also protect themselves in a number of ways from the threat of Magecart, and other types of fraud, by keeping their data, and therefore their funds, protected. This could include using a ‘proxy’ card to make online purchases, which involves setting up a bank account just for online purchases, whereby money is only transferred over to the account prior to a purchase, otherwise the account remains empty and worthless to fraudsters. I also believe the new Apple Card offers ‘real time fraud protection’ and alternates the card number upon each transaction which renders stealing the card information useless. Amazon Pay and PayPal are also better alternatives than entering you primary card details onto a checkout page loaded with adverts from third-party services. 

Businesses can protect themselves via auditing the code on checkout pages, vetting third party services, applying the latest security updates, monitoring for typosquatting domains and when a certificate is issued for them, as well as submitting takedown requests. Otherwise, Magcart can be an existential risk to businesses due to the tough GDPR fines (4% of annual turnover or €20 million). Along with reputational and customer trust damaged, an incurred loss of traffic, and other large costs that come with data breaches. 

Public and private sector organisations must consider investing in cybersecurity, cyber threat intelligence, and remain vigilant. 

Most of this research has come from RISK IQ, who are industry leaders into protecting from Mageart and crawl roughly 2 billion websites in search of signs of Magecart.

References:  - RISK IQ conference talk - Vice Documentary on credit card fraud

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

Lessons from the iSOON Leaks