loader gif

Magecart’s new group 11 takes aim at admin credentials in new attacks

Magecart’s new group 11 takes aim at admin credentials in new attacks
  • Magecart group 11 has been active since early 2016 and has been stealing more than just payment data.
  • Researchers from RiskIQ analyzed the characteristics of Group 11 and found it to be responsible for the recent attack on Vision Direct.

Magecart has recently been spotted in the wild targeting different e-commerce websites. The group is best known for its Formjacking attacks that involve inserting malicious code in the checkout page of an e-commerce site to steal customers’ financial details.

This capability of the threat actor group has enabled it to infiltrate copious amounts of data from customers. While the group continues to expand its attack surface, a new subgroup of Magecart has recently emerged.

Magecart group 11

The new group is tracked as Group 11 and has been found stealing credentials of site administrators, apart from those of website visitors. According to a report by RiskIQ, the group has been active since early 2016 and has been stealing more than just payment data.

“A recent attack by a group known as Magecart Group 11, which we did not cover in the Inside Magecart report, compromised several websites, and breaking from traditional Magecart MO, stole more than just payment data. This group was first observed in early 2016 and, despite a relatively small infrastructure compared to their colleagues, they have been able to compromise a large portion of websites,” RiskIQ researchers Yonathan Klijnsma and Jordan Klijnsma said in a report.

The experts traced the attributes and activities of Group 11, concluding that it was responsible for a data breach that targeted the UK-based contact lens supplier Vision Direct. Upon investigation, Klijnsma and Herman discovered that all the Vision Direct websites were hosted on a particular IP address that linked to Group 11.

“First of all, an examination of each site shows that they share the same design template. Also, If you look up visiondirect[.]it in RiskIQ Community, you will see that it’s currently hosted on 34[.]246[.]154[.]161. It turns out, all of the Vision Direct websites are hosted on the same IP. By hitting this main server, Group 11 was able to compromise each site at the same time,” said the experts.

Group 11's abilities

The card skimming activity of Group 11 is no different from other Magecart groups. The attackers have also added some new capabilities that enable them to steal credentials from site administrators. The group has added additional keywords such as admin, login, and password into the JavaScript skimmer code to skim more information.

“The URL path filtering, typically used to ensure a skimmer is operating on a payment page only, includes keywords that indicate targeting of other pages including login and administrative pages,” Klijnsma and Herman explained.

Magecart’s prolific card-stealing operations have been steadily growing over the past year. The group and its subgroups have been blamed for an array of recent breaches, including the British Airways breach, the Ticketmaster breach, the Feedify attack and more.

loader gif