570 Online Stores Hacked - The Culprit is Keeper!

Since April 2017 (yes, that’s quite a long period), the Keeper hacking group is suspected to be behind breaches at more than 570 e-commerce sites.

The scoop

The Keeper group reportedly broke into 570 online store backends, changed the source code, and inserted malicious scripts. These malicious scripts logged payment card details entered by purchasers during checkout. These attacks are known as Magecart intrusions, e-skimming, or web skimming.

Keeper facts

  • The researchers could track the group's activities since they used the same control panels for their backend servers.
  • The hacking group operates an interconnected network of 64 attacker domains, along with 73 exfiltration domains.
  • Over 85% of the targeted sites were built using Magento CMS.
  • The victim sites ranged from small-sized to medium-sized enterprises and were spread across 55 countries.

Recent attacks

  • Claire’s and Icing were compromised between April 25 and April 30 wherein hackers breached the company websites and hid malicious scripts that would record payment card details entered in checkout forms.
  • A new digital skimmer - MakeFrame - was spotted by RiskIQ researchers recently, wherein the attackers inject HTML iframes into web pages to siphon payment data.

Stats about skimming attacks

  • The number of card skimming attacks have soared by 26% since March.
  • The number of skimming attacks is the highest on Monday, which is the busiest day for online shopping, and lowest on weekends. 
  • The most affected country is the U.S., closely followed by the U.K and the Netherlands.
  • Last year, a Magecart group was responsible for compromising a Volusion CMS, impacting 6,000 e-commerce sites. 

The takeaway

Web skimming has been around for a long time and is not going anywhere anytime soon. Customers are advised to develop proper internet hygiene while online shopping.