New Magecart groups are popping up and they’re feuding with each other

• Jerome Segura and William de Groot discovered that Magecart Group 9 has manipulated the code built byMagecart Group 3.
• By using the recycled code, Group 9 spots the vulnerable domains and then alters the payment card details that Group 3 has collected.

Magecart has gained immense notoriety in recent months, due to the high profile attacks the group conducts against various e-commerce sites. The cybercriminals are continuously stealing payment card information of customers purchasing products or services online.

Over the past few months, several new Magecart subgroups have popped up. Now, these groups have begun competing against each other, sparking a new petty cyber feud.

Two new card-skimming attacks from a sub-group of Magecart have come into the limelight recently. Jerome Segura from Malwarebytes and independent Dutch researcher Willem de Groot, found Group 3, a newly emerging threat actor Group 9, and multiple skimming actors involved in attacks on the Umbro Brasil website and Bliv.com recently.

According to Yonthan Klijnsma, a security researcher at RiskIQ, Group 9 is competing with the Group 3, a group that’s been known to be active mainly in South America. Segura and de Groot discovered that Group 9 manipulated the code built by Group 3. The code is basically used to search domains that can be used to pilfer payment card data.

By using the recycled code, Group 9 spots vulnerable domains and then alters the payment card details that Group 3 has collected. It replaces the last digit of a credit/debit card with a random number, thereby derailing Group 3’s efforts.

Segura told ZDNet that the reason for this sabotage is that Group 9 wants to destroy the reputation of Group 3. Commenting on Group 3’s attempts to sell the card data it obtains, Segura said, “Buyers will eventually realize their purchased credit cards are not working and will not trust that seller again.”

Web card skimming is one of the most common website attacks that has recently been gaining popularity. Segura believes that card skimmers are continuously upgrading their techniques to escalate attacks.

"Web skimmers are one of the most common website infections we see in our daily web crawls. Now that skimming kits are readily available, the door is open to any threat actor, no matter their level of sophistication, to get in the game,” Segura told ZDNet.