Malware

Expert found 1,236 websites infected with Magecart e-skimmer

A security researcher is warning of a new wave of MageCart attackers, he has found over 1,000 domains infected with e-skimmers.

MageCart gangs continue to be very active, security researcher Max Kersten discovered 1,236 domains hosting e-skimmer software.

Hacker groups under the Magecart umbrella continue to target e-stores to steal payment card data with software skimmers. Security firms have monitored the activities of a dozen groups at least since 2010

According to a joint report published by RiskIQ and FlashPoint, some groups are more advanced than others, in particular, the gang tracked as Group 4 appears to be very sophisticated.

The list of victims of the groups is long and includes several major platforms such as British AirwaysNeweggTicketmasterMyPillow and Amerisleep, and Feedify

Millions of Magecart instances were detected over time, security experts discovered tens of software skimming scripts.

Kersten discovered the compromised domains scanning the Internet with Urlscan.io for a known e-skimmer.

“The results of this research are based on the outcome of the data that is present on UrlScan. Starting off with the skimmer domain that Jacob Pimental and I wrote about, one can search for the moment that the skimmer domain switched in the infection chain.” reads the analysis published by the experts. “Repeating this process results in a list of all the exfiltration domains in the chain until it either breaks or the search is stopped. Additionally, one can recursively query every affected domain to search for other skimmer domains. This addition is considered out of scope for this research.”

Other security experts and firms have already tracked most of the domains discovered by Kersten and although they have already reported the infections to the admins the malicious code is still present.

Kersten reported his discovery to 200 website owners or administrators without receiving any reply.

The experts divided the results into three groups, the sites that are still available, the products category, and the geographic location of the headquarters of the webshops.

70% of the 1236 e-shops found infected was still reachable, many of them were not fully set-up.

Most of the infected sites are in the US (303), followed by India (79) and the UK (68).

Most of the sites appear to have been compromised by the MageCart Group 12, which is a very active group under the Magecart umbrella.

“It is difficult to attribute the skimmer infections to a specific group, given that the skimmers are quite generic, and easily obtainable. The trends in the data show possibly interesting approaches, assuming that the input data is not skewed.” concludes the expert.

“If you have shopped at any of the shops that are in the list below between the given dates, your credit card credentials are likely to be compromised. Please request a new credit card and contact your bank accordingly. Also note that all information that was entered on the site’s payment form was stolen by the credit card skimmer, and should be considered compromised.”

The complete list of compromised sites is available at the end of the post.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Magecart, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

11 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

15 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

20 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

23 hours ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

TheMoon bot infected 40,000 devices in January and February

A new variant of TheMoon malware infected thousands of outdated small office and home office…

2 days ago

This website uses cookies.