At least 44 E-Commerce Sites Loose Customer Card Data

Modus Operandi of Group X

• The attackers exploited a defunct third-party service called Cockpit to acquire a domain name and used it to serve a skimming script.
• By re-registering the defunct domain and configuring it to distribute malicious code, the attackers were able to compromise over 40 e-commerce sites.
• Data collected from the compromised sites were encoded, encrypted, and then sent to an exfiltration server based in Russia.

Modus Operandi of Group Y

• The skimmer code used by Group Y is very similar to Group X, however, the distribution method is different.
• Instead of using a third-party service, the actor injected a Google Analytics lookalike script in the victims’ homepages.
• The skimmer script was designed to run only on the checkout pages and harvested all accessible information. 

Modus Operandi of Group Z

• Group Z uses attack methodologies that are identical to Group X and Group Y, except for some modifications in script and server structure.
• The malicious script injected into the sites is disguised as Google Tag Manager, instead of Google Analytics as used by Group Y.

Stealthy Magecart attacks remain a serious threat

• Recently, a JavaScript skimmer loaded with unique anti-detection features was used to hamper the shopping experience of users visiting Magento-based e-commerce sites.
• A skimmer code that leveraged virtual machines to evade detection was also used for Magecart attacks. 

Conclusion