Magecart Threat Group: A brief look into Magecart’s subgroups and high-profile attacks

• The card-skimming threat group has made 7 group appearances attacking thousands of victims over the past 4 years.
• The threat group was responsible for attacks against British Airways, Ticketmaster, the National Republican Senate Committee, Cancer Research UK, Feedify, Oxo, Groopdealz, Everlast, and Newegg.

Magecart card-skimming threat group is comprised of 7 major cybercriminals group. All these groups use the same skimmer toolset version, however, they depend on different tactics and techniques.

The threat group was responsible for attacks against British Airways, Ticketmaster, the National Republican Senate Committee, Cancer Research UK, Feedify, Groopdealz, Everlast, Vision Direct, and Newegg.

Group 1

Magecart group 1 was first spotted in 2015 introducing Magecart skimmer made up of JavaScript tool embedded into e-commerce sites. This tool was used to compromise systems and upload malicious skimmer code.

Once a victim entered his payments details in the form, the skimmer copied it and sent it to a drop server thereby stealing payment information. Group 1 thus successfully impacted almost 2500 online stores.

Group 2

Group 2 made its appearance in 2016 stealing payment card information of several thousand online stores via reshipping scams. The victims included the National Republican Senate Committee, Everlast, and more.

Group 3

In 2016, Group 3 appeared with a different approach impacting nearly 800 online stores. Group 3 skimmer scans for forms containing payment information instead of checking the URL location. If the forms contain payment details, then the threat group steals that information. However, the form should contain names and addresses of customers.

Group 4

Group 4 made its appearance in 2017 affecting almost 3000 online stores. This threat group used an odd anti-analysis technique with a fingerprinter injected into a harmless script, which served as a decoy until a shopper hit the payment page.

“The code added to the bottom of the benign script would check if the user visiting were on a mobile device and if this person had their developer toolbar open. But even more interesting is that Group 4 was performing a timing anti-analysis trick,” RiskIQ researchers explained.

Group 5

In 2018, Magecart group 5 targeted the payment information entered into forms on Ticketmaster’s various websites including Ticketmaster International, Ticketmaster UK, GETMEIN! and TicketWeb.

Ticketmaster was not directly compromised in the attack, However, a third-party supplier for their website known as Inbenta was breached. Group 5 breached Inbenta’s systems and replaced a custom JavaScript module Inbenta made for Ticketmaster with their digital skimmer code.

“On Saturday, June 23, 2018, Ticketmaster UK identified malicious software on a customer support product hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster,” reads the data breach notification published by Ticketmaster.

Group 6

Group 6 was spotted attacking several victims including British Airways, Newegg, Feedify, and Groopdealz between August and September 2018.

Magecart group 6 attacked British Airways in August 2018, by using a customized version of the skimmer script. The group added some lines of code at the bottom of the code to avoid disruptions to the skimmer script. The skimmer script was loaded from the baggage claim information page on the British Airways website. The code allowed the malicious script to send the customer’s payment data to the attacker’s server.

In September 2018, group 6 hit the online retailer Newegg stealing customers’ credit card data from its website. Group 6 registered a new domain similar to the legitimate Newegg domain on August 13. The group also managed to get an SSL certificate for the new domain from Comodo. Later, on August 14, the threat group injected their skimmer script into the payment processing page of the official Newegg website. When customers made payment, the group was able to access their payment details and send them to their fraudulent domain. Thus, the group successfully stole credit card data of customers who made purchases between August 14, 2018, and September 18, 2018.

Magecart group 6 also attacked Feedify cloud service in September 2018, stealing payment card details of over 4000 customers. The threat group targeted the supply chain of Feedify by installing the malicious script on clients’ website. When customers visited the website, it loaded the malicious script to steal personal information and payment card data.

Group 7

Group 7 has compromised almost 100 online stores. “Instead of using a dedicated host for the injection and the drop, this group uses compromised sites as proxies for its stolen data. Because Group 7 make use of websites that are already compromised sites, and that makes it very difficult to take them down,” researchers said.

The Magecart threat group was thus very active and successful in stealing payment information from several thousands of victims over the years by using malicious skimmer script.