Pierluigi Paganini
May 13, 2020
MageCart gangs continue to be very active, security researcher Max Kersten discovered 1,236 domains hosting e-skimmer software.
A look into 1236 web shops that were affected by MageCart, their geographic location, branch, and information about attribution: https://t.co/kordbSFImv
— Max 'Libra' Kersten (@Libranalysis) May 12, 2020
Hacker groups under the Magecart umbrella continue to target e-stores to steal payment card data with software skimmers. Security firms have monitored the activities of a dozen groups at least since 2010.
According to a joint report published by RiskIQ and FlashPoint, some groups are more advanced than others, in particular, the gang tracked as Group 4 appears to be very sophisticated.
The list of victims of the groups is long and includes several major platforms such as British Airways, Newegg, Ticketmaster, MyPillow and Amerisleep, and Feedify.
Millions of Magecart instances were detected over time, security experts discovered tens of software skimming scripts.
Kersten discovered the compromised domains scanning the Internet with Urlscan.io for a known e-skimmer.
“The results of this research are based on the outcome of the data that is present on UrlScan. Starting off with the skimmer domain that Jacob Pimental and I wrote about, one can search for the moment that the skimmer domain switched in the infection chain.” reads the analysis published by the experts. “Repeating this process results in a list of all the exfiltration domains in the chain until it either breaks or the search is stopped. Additionally, one can recursively query every affected domain to search for other skimmer domains. This addition is considered out of scope for this research.”
Other security experts and firms have already tracked most of the domains discovered by Kersten and although they have already reported the infections to the admins the malicious code is still present.
Kersten reported his discovery to 200 website owners or administrators without receiving any reply.
The experts divided the results into three groups, the sites that are still available, the products category, and the geographic location of the headquarters of the webshops.
70% of the 1236 e-shops found infected was still reachable, many of them were not fully set-up.
Most of the infected sites are in the US (303), followed by India (79) and the UK (68).
Most of the sites appear to have been compromised by the MageCart Group 12, which is a very active group under the Magecart umbrella.
“It is difficult to attribute the skimmer infections to a specific group, given that the skimmers are quite generic, and easily obtainable. The trends in the data show possibly interesting approaches, assuming that the input data is not skewed.” concludes the expert.
“If you have shopped at any of the shops that are in the list below between the given dates, your credit card credentials are likely to be compromised. Please request a new credit card and contact your bank accordingly. Also note that all information that was entered on the site’s payment form was stolen by the credit card skimmer, and should be considered compromised.”
The complete list of compromised sites is available at the end of the post.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – Magecart, hacking)
[adrotate banner=”5″]
[adrotate banner=”13″]
