At a time when big cybercrime headlines typically involve embattled ransomware gangs or cryptocurrency heists, a less-dramatic activity like online credit-card skimming can be an afterthought. The security researchers who track skimmer groups, though, say these pesky crooks shouldn’t be overlooked.
In mid-February, the cybersecurity companies Sansec and Malwarebytes warned about a specific series of intrusions on e-commerce sites by Magecart hackers — the umbrella term for criminal groups who specialize in capturing people’s credit-card data when they make purchases online. Hundreds of sites were affected by the skimmers, reports said, and most of them were running old, unsupported payment software.
It was a reminder that years of warnings hadn’t reached some corners of the e-commerce world. It was also the latest sign that a threat identified a half-decade ago was not fading away. Sansec called the latest attack methods “clever,” and Malwarebytes said Magecart groups were continuing to “expand and diversify their methods.”
February’s discoveries showed that the “low-hanging fruit” is still available for these hackers, said Steve Ginty, director of threat intelligence at Microsoft-owned RiskIQ, which wrote the first definitive report on Magecart groups in 2018 with another firm, Flashpoint. “On the flipside, there are new vulnerabilities, there are new issues with plugins and other things that these actors are taking advantage of,” he said. “So the tactics may have changed a bit.”
Skimming remains among the top threats to digital payment systems, said Michael Jabbara, vice president of global fraud solutions at Visa. The coronavirus pandemic, which kept consumers away from stores, was a bonanza for fraudsters.
“Something we know about bad actors is that they evolve as the world does,” Jabbara told CyberScoop. (Representatives of American Express and Discover declined to comment for this story, and Mastercard did not respond to CyberScoop’s requests.)
Skimmer groups insert malicious code into the checkout process — typically through vulnerabilities in the software itself or related third-party plugins — to harvest credit-card data. The fraudsters then capitalize on that stolen information in different ways. They might use it to make purchases and then fence those goods, raking in the cash. Or they might simply sell the data to other criminals in dark web forums.
Analysts say it’s difficult to track exactly how much money Magecart crooks make, given that the stolen data is exploited in diverse ways, sometimes with small transactions. And the stolen card information, once it’s in the wild, can look a lot like data from other sources, as hackers have been known to compromise brick-and-mortar stores’ point-of-sale (POS) networks or attach physical skimmers to the card slots on gas pumps or ATMs.
Cybersecurity company Group-IB tries to put a number on the overall value of that broader “carding” market each year, though. For 2021, the estimate was about $1.4 billion, down about $500 million from the previous period. Some of that reduction was due to the international takedown of the Joker’s Stash carding market.
The Magento connection
In the early days, Magecart scores involved several big brand names, including a famous 2018 attack on British Airways’ website. Sites for Ticketmaster, OXO and Newegg also had infections, and by late 2019, researchers found Magecart code on more than 2 million e-commerce pages. As the cybersecurity industry’s warnings got louder and the providers of e-commerce software worked to address vulnerabilities, the headlines died down a bit. Not everyone got the message, though.
Researchers had chosen the name Magecart because the attackers specialized in compromising Magento, an open-source e-commerce platform overseen by software giant Adobe, which took charge of it in 2018. Pick any two sites using Magento, and it’s possible they won’t be running the same version. Hackers can take advantage of sites that aren’t up to date. And in some cases, e-commerce businesses are still running the 1.0 version of Magento, which Adobe no longer supports.
That’s where the burst of activity in February came from. Sansec said more than 500 sites running Magento 1.0 were hit with “a clever combination of an SQL injection (SQLi) and PHP Object Injection (POI)” that allowed attackers to leave as many as 19 backdoors for more access to the system. “It is essential to eliminate each and every one of them, because leaving one in place means that your system will be hit again next week,” Sansec said.
Soon afterward, Sansec was alerting users of Magento 2.0 to patch their systems, given the discovery of a totally different problem. The February alerts came on the heels of news that Magecart code had been discovered on Segway’s website in January.
Afterward, between Feb. 22 and March 1, RiskIQ detected 176 sites injected with Magecart or other skimmers, and 214 unique web domains used by “known Magecart threat actors” for command-and-control of malware on infected sites, the company told CyberScoop.
Attribution is difficult
None of the recent reports about Magecart or other skimmer activity make an attempt to specify who the hackers are or where they might be located. Unlike ransomware gangs — which sometimes publicly shame their victims while trying to squeeze out more profit, or get sloppy with how they handle the cryptocurrency they extort from victims — Magecart operators tend to have low profiles. They often use “bulletproof hosting” services for their command-and-control servers, out of the reach of U.S. and European law enforcement.
Researchers say there are at least eight distinct Magecart groups, and over the years some of them have been tied to financially motivated advanced persistent threat (APT) groups, which sometimes are designated with the abbreviation “FIN.” Magecart 6, blamed by some for the British Airways breach, has been linked to the FIN6 group. Researchers say Magecart 5 is tied to FIN7, also known as Carbanak. Magecart 4 has been linked to Cobalt Group.
International law enforcement actions against Magecart groups, meanwhile, appear to be limited. In late 2019, Interpol and Indonesian police made the first-ever arrests of Magecart suspects. The websites for the U.S. Department of Justice and the FBI — which has made fighting digital crime a priority in recent years — only show a short general warning from the FBI in 2019. Arrests of ATM and gas pump skimming suspects — or figures linked to FIN groups — are far more common.
Plenty of options
As the Magento community and cyber companies try to keep up with the threats, the credit-card companies also are watching closely, too.
Visa’s Michael Jabbara said that skimmer groups still have plenty of options for compromising e-commerce sites, even if payment software is more secure and monitored more closely than it was a few years ago.
“One technique that attackers use is the targeting of third-party companies in order to distribute their malicious skimming code to as many ecommerce websites as possible,” he said via email. “For example, an attack on a website analytics company could lead to the infection of thousands of ecommerce websites that use their service.”
Other advances include “more sophisticated methods of communication to transfer stolen data away from the merchant website,” Jabbara said. One sample found by Visa used a common protocol called WebSockets to “open a direct line of communication between the victim’s web browser and the C2 infrastructure controlled by the attacker,” he said. Another used WebSockets to “download the malicious skimmer and load it in to the webpage,” allowing the attacker “to update their skimmer and distribute it without revisiting already compromised websites.”
Other non-Magento avenues include WooCommerce, a payment-processing plugin for websites that use the ubiquitous WordPress content management system (CMS). Malwarebytes has noticed an increase in skimming with that software, said Jérôme Segura, a senior director of threat intelligence for the company.
“For that reason, I believe if a particular CMS becomes less monetizable, threat actors will simply move to the next one,” he told CyberScoop via email.
In the meantime, keeping tabs on the criminals isn’t getting any easier, even as other kinds of cybercrime, namely ransomware attacks, face more scrutiny. A trove of information that became available to researchers in recent weeks — the leak of 60,000 chat messages and files related to the Conti cybercrime group — turned up virtually nothing about Magecart actors, Segura said.
“It’s not unusual to see different criminal groups intersect,” he said, but in this case it appears that Conti — which works like a business, in running affiliate programs and recruiting people with a talent for penetrating systems — has little to do with skimmers who are more focused on testing and reselling stolen cards.
“I think they are two very different ecosystems,” Segura said.