For three years, the Magecart group—the name given to a collective of at least seven cybercrime outfits—has been a scourge to e-commerce. Using the digital equivalent of physical credit-card skimmers on high-profile websites, the group is alleged to be responsible for the loss of hundreds of thousands of payment card records and the personal data of its victims.
Not until the last few months and after the unraveling of three major breaches, however, has Magecart been elevated to the public’s consciousness.
Today, researchers at Flashpoint and RiskIQ are releasing the most comprehensive look inside the Magecart operation to date. Available for download, “Inside Magecart” examines each of the seven groups believed to make up the Magecart threat, including a thorough investigation into the infrastructure supporting these operations, the technical sophistication of the skimmer malware dropped onto the sites of its victims, and how victims are accessed and compromised.
The list of groups in the report is not definitive, nor is it comprehensive. It’s a deep look at these operations that are currently being tracked; security personnel inside the enterprise should understand that there are likely more groups and operations taking part in Magecart’s web-skimming operations. As with most activities in the criminal underground, once others recognize a measure of success by one outfit, others are likely to join in and bring with them their own set of tools and operations, adding more competition and activity to an already crowded space.
The report melds the seven groups into six after a link was found between two of these outfits in the way they profited by using the same fraudulent reshipping operation. The groups differ in their capabilities and approaches to targeting victims. Some cast a wide net and use automated tools, opting for a high volume of victims. These operations, however, may use different variants of skimming malware to distinguish themselves from one another. Other groups, meanwhile, are much more advanced in the malware they use, the means they deploy to avoid detection, or in their approach toward targeting only high-profile victims.
The report also examines the commercial side of the Magecart operation, focusing on the sale and distribution of stolen cards through underground markets. It also details other means of monetization for Magecart, such as mule-handling, and shipping goods. Finally, readers will learn more about the underground supply chain belonging to Magecart, and how the group offers skimmer kits and compromised ecommerce sites as a service.
This is the deepest, publicly reported look into the Magecart operations and an important exposé into the activities of one of the most dangerous and profitable cybercrime outfits operating on the underground today.
Download “Inside Magecart” here.
Threat Researcher – RiskIQ
Jordan Herman is a Threat Researcher at RiskIQ.
Threat Researcher – RiskIQ
Yonathan Klijnsma is a Threat Researcher at RiskIQ.