Established card skimming gang “won’t take kindly to someone messing with their profits”

The website for Umbro Brasil has been hit by not just one, but two credit card skimming groups making use of the increasingly notorious Magecart technique.

Magecart has become something of a household name over recent months, thanks to its role in high-profile payment card breaches impacting Ticketmaster, British Airways, Newegg, and Vision Direct.

Although the addition of the webshop to the list of compromised sites may fail to grab as many headlines as that of a national airline or major events ticketing firm, Malwarebytes’ latest research shines new light on what’s now known to be several distinct groups operating under the Magecart umbrella.

Following the discovery that one of the malicious scripts was found to be sabotaging the intelligence-gathering capabilities of the other, Malwarebytes said the Umbro incident demonstrates how “multiple threat actors are competing at different scales to get their share of the pie”.

Magecart: The unstoppable skim machine

An evolution of the now 18-year-old Cart32 shopping cart software backdoor, Magecart takes the form of malicious JavaScript injected onto a site’s payment page. Once installed, the script collects all form data entered by a user – including their name, cards details, and CVV number – and uploads it to a remote server under the attacker’s control.

Recent insight from RiskIQ and Flashpoint indicates that Magecart payment skimmers have directly victimized at least 6,000 individual sites since 2015. Even more concerning is that, when taking into account compromised third-party payment plugins, the number of impacted sites is thought to stretch well into the hundreds of thousands.

In a joint technical deep dive (registration required) published earlier this month, RiskIQ and Flashpoint documented seven groups operating using the Magecart modus operandi.

Now, just over a week since the report was released, this number has already been bumped up to nine, following the identification of two additional threat groups – one of which has been implicated in the recent Umbro breach in Brazil.

A new criminal group emerges

According to Jérôme Segura, security researcher at Malwarebytes, Umbro Brasil was compromised by two Magecart skimming scripts.

While this is by no means the first time researchers have discovered multiple skimmers on the same website, what’s interesting in the case of Umbro is that one of the scripts includes counter-intelligence code that makes a subtle change to the stolen payment details.

“In this Umbro Brasil compromise, one of the two skimming scripts checks for the presence of other skimming code, and if present will slightly alter the credit card number that was entered by the victim,” Segura explains.

“Effectively, the first skimmer will receive wrong credit card numbers as a direct act of sabotage. Buyers [on the dark web] will eventually realize their purchased credit cards are not working and will not trust that seller again.”

Jordan Herman, a threat researcher at RiskIQ and co-author of the company’s 60-page Magecart intelligence report, said this is an interesting development – and one that may pave the way for something of a criminal turf war.

“As Malwarebytes notes, it is not particularly novel to see multiple malware infections on the same site,” Herman told The Daily Swig. “Lax security can lead to multiple break-ins and we have seen multiple Magecart skimmers on the same website many times.

“It is much more interesting that the g-statistic group – or Magecart Group 9 as we’re currently tracking them – has decided to directly attack another skimmer with their nifty little data altering trick.

“Since they’re the only ones able to get legit card data from the sites they hit, their revenue stream is made more profitable. I expect Magecart Group 3 to take notice and react in some way. They’ve been around a long time and won’t take kindly to someone messing with their profits.”

(Umbro did not respond to The Daily Swig’s request for comment on this issue. According to Segura, the skimmers have now been removed, but he advised caution among those looking to make a purchase on the site, in lieu of a response from the sportswear company.)

No longer an umbrella term

As outlined in the RiskIQ report, the increasing use of the Magecart hacking technique points to a “complex and thriving criminal underworld that has operated in the shadows for years”.

The problem is compounded by the growing number of underground marketplaces that facilitate the buying and selling of compromised site and card payment details, along with custom Magecart exploit kits that enable hackers to rack up their own victims.

Given this rapid growth of Magecart-based hacktivity, Segura said the term is now redundant when it comes to defining the threat groups making use of this exploit.

“There are many more threat actors operating under the Magecart moniker,” he told The Daily Swig.

“In fact, we may have reached a point where attributing attacks to ‘Magecart’ is no longer relevant. Indeed, skimming kits are readily available and new criminals not previously affiliated with the original Magecart group are now entering the scene.”

Herman agrees that the number of criminal groups associated with Magecart is only going to increase over the coming months.

“There are many reasons for this,” he said. “First, there are fortunes to be made via card data theft. Secondly, compromising vendors or third-party suppliers that are unable to defend themselves or detect the compromise is often a trivial task.

“Thirdly, there has been little threat of consequence to those behind these compromises. In short, the rewards are too great, the hurdles too low, and the consequences largely non-existent for this threat to go away any time soon.”