Security Market Segment LS
Monday, 07 October 2019 09:24

Magecart attacks have crossed 2m mark, RiskIQ claims

Magecart attacks have crossed 2m mark, RiskIQ claims Image by teguhjati pras from Pixabay

A cyber crime syndicate known as Magecart, which is made up of dozens of sub-groups that indulge in credit card theft by skimming online payment forms, has been found to be implicated in more than two million such attacks.

The security firm RiskIQ said, in a report released on Saturday, that among the 2,086,529 attacks, it had detected 18,000 hosts that were directly breached.

The report, titled MageCart: The State of a Growing Threat and written by the company's threat researchers Jordan Herman and Yonathan Klijnsma, said Magecart had been active for nearly a decade with RiskIQ's first observations about it being on 8 August 2010.

In reply to queries from iTWire, Herman said RiskIQ used the term Magecart as an umbrella term to describe a particular kind of cyber crime.

"[This is} the injection of skimmer code onto e-commerce websites with the intent of stealing credit card and other personal information," he said. "In the past, we limited this moniker to six discrete criminal groups, but, while we still track a number of specific groups carrying out this type of cyber crime, the proliferation of Magecart means that there are more persons involved in this activity than it is practical for us to enumerate."

malvertisements magecart

Asked to cite the reasons for the increase in Magecart attacks, Herman there were several causative factors.

"Firstly, software development that takes security into consideration over sales timelines/goals is the exception, not the rule, and most software releases contain vulnerabilities that will need to be patched later," he said.

"This dynamic is exacerbated when a vendor is small and lacks resources for extensive QA or other security protections. Specific to the Magecart threat, we see this in the focus of some groups on attacking small third-party vendors as a means to gain access to larger, better-resourced organisations."

Herman said that secondly, it was often the case that types of cyber crime continued to proliferate, evolve, and increase for years after they were identified and became well known.

"For example, ransomware has been well known for years and several extremely widespread attacks have demonstrated the need to protect against it and mitigate its effects through security practices, such as proper back-up procedures, yet we continue to see devastating attacks against municipalities such as Baltimore.

length of magecart breach

"That is to say, often attack vectors are developed and implemented by a few people. After the efficacy of the attack is demonstrated, other cyber criminals adopt it, alter it, and use it against new targets. With Magecart attacks, in particular, we have seen an evolution of skimming techniques over time."

Herman said at the moment one could observe a wide range of competence and targeting from different groups carrying out Magecart attacks.

"For example, the attacks on British Airways and Newegg were carried out by a group that specifically targeted these organisations, created bespoke skimmers and C2 domains for their attacks, and carried out those attacks with a high level of technical skill. In comparison, the recent attacks on open Amazon S3 buckets were carried out by a group that did no targeting and inserted their skimmer, which was a copy of another group’s skimmer, into any JS script found on an open bucket, demonstrating low levels of effort/skill."

He said while identifying attack vectors or techniques and disseminating that information was an important part of threat response, it was not enough.

"It is the responsibility of every organisation to work to protect themselves and their customers from these threats and to mitigate any potential effects of attacks that are successfully carried out. That is why RiskIQ works with our clients and other organisations. we have seen affected by Magecart attacks (for instance, we worked with Amazon to help them identify open S3 Buckets and to communicate with the organisations that owned those buckets and get them closed and the skimmer code removed) to help them understand what happened, why, when, and how so that they can protect themselves in the future."

Asked whether it was safe to conclude that convenience was generally the enemy of security, with the former being sought by the tech industry at the expense of the latter, Herman responded: "As I mentioned above, software development that takes security into consideration over sales timelines/goals is the exception, not the rule, and most software releases contain vulnerabilities that will need to be patched later."

Some key points in the report:

  • Seventeen percent of all Malvertisements detected by RiskIQ contain Magecart skimmers;
  • The average length of a Magecart breach is 22 days with many lasting years, or even indefinitely;
  • Shopping platforms such as Magento and OpenCart are the lifeblood of many Magecart groups. RiskIQ has detected 9,688 vulnerable Magento hosts;
  • Magecart infrastructure is vast, with 573 known C2 domains, and 9,189 hosts observed loading C2 domains; and
  • Because Magecart skimmers stay on websites for so long, threat actors are purchasing Magecart infrastructure that's gone offline to assume access to these breached sites.

The full report can be downloaded here after registration.

Graphics: courtesy RiskIQ


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments