Magecart and more under the spotlight

Turf wars for the control of compromised sites are flaring up between rival cybercrime groups using JavaScript sniffers (JS-sniffers), according to a new study by incident response and forensics consultancy Group-IB.

JS-sniffers – a type of malware designed to steal customer payment data from online stores – have become a growing problem for e-commerce providers, particularly over the last two years or so.

The online equivalent of a credit card skimmer targeting ATM cash machines, a JS-sniffer typically comes in the form of a few lines of code that cybercriminals inject into websites to capture data entered by users, such as payment card numbers, names, addresses, and passwords.

Group-IB experts have discovered 38 different JS-sniffer families, of which only 12 were known previously.

During its research, the security firm discovered signs of “competition”, as it became apparent that some JS-sniffer families could detect and eliminate similar malware belonging to competitors that happened to be present on targeted websites.

Moscow-based Group-IB also found examples of some JS-sniffers intercepting and “taking over” the data that was being acquired by rival skimmers on a compromised site.

Sniffing out a good deal

JS-sniffers are put up for sale or rented out through underground cybercrime forums, predominately Russian-speaking hangouts. The profits made by JS-sniffer developers though this illicit trade could amount to hundreds of thousands of dollars per month, Group-IB estimates.

“For instance, websites infected by the WebRank family of JS-sniffers attract around 250,000 visitors every day,” Group-IB said in a statement.

“If the conversion on these websites was only 1%, this would mean that 2,500 shoppers carry out transactions every single day.

“This, in turn, means that, at the minimum price range charged for stolen cards, WebRank developers can make between $2,500 and $12,500 for a JS-sniffer’s one day of ‘work’, which amounts to $75,000 to $375,000 per month.”

JS-sniffers’ cost ranges from $250 to $5,000 on underground forums. Some services offer partnerships whereby the customer provides access to the compromised online store and receives a share of the profits, while the JS-sniffer developer is responsible for providing hosting servers, tech support, and an administrative panel for the customer.


Group-IB’s analysis of 2,440 infected websites found that more than half were attacked by MagentoName JS-sniffer family, whose operators exploit vulnerabilities of older versions of the popular Magento content management system to plant malicious code on vulnerable websites.

More than 13% of infections are carried out by WebRank JS-sniffers family, which attacks third-party sites to inject its malicious code into the targeted websites. One in nine (11%) of infections stemmed from the CoffeMokko family, whose operators use obfuscated scripts designed to steal information from payment forms of payment systems.

Most identified JS-sniffers are set up to steal information from different types of payment forms of website management systems such as Magento, OpenCart, Shopify, WooCommerce, and WordPress.

Such JS-sniffer families include PreMage, MagentoName, FakeCDN, Qoogle, GetBilling, and PostEval. Other JS-Sniffers (such as G-Analytics and WebRank) can be integrated into the code of any website, regardless of the systems used.

WebRank is only third in the “ranking” of mass infections. Websites infected by MagentoName and CoffeMokko JS-sniffers attract more than 440,000 visitors per day, so the cybercrime kingpins behind these scams might be making even more.

A JS-sniffer that infected the British Airways website and mobile app claimed an estimated 380,000 victims while a more recent breach on UK website of the international sporting goods giant Fila, which could have led to the theft of payment details of at least 5,600 customers.

RELATED Criminal turf war may be brewing after Magecart double whammy

JS-sniffers can be modified to make it more difficult to detect them. For example, ImageID and ReactGet are activated only when the buyer is completing their transaction on the website, making their presence on compromised websites harder to detect.

JS-sniffers such as ImageID and G-Analytics mimics legitimate services such as Google Analytics and jQuery in order to disguise their malicious intentions.

Group-IB researchers gained access to their source codes, administrative panels, and cybercriminals’ tools used to mount these attacks. This approach helped identify 38 unique JS-sniffers’ families, at least eight of which have been described for the first time, according to the Moscow-based incident response and computer forensics firm.

A total of 2,440 infected ecommerce websites whose data could have been compromised, were analyzed by Group-IB researchers in putting together its report.

Crime without punishment: In-depth analysis of JS-sniffers’, Group-IB’s report follows earlier research by researchers at RiskIQ and Flashpoint, who used the umbrella term Magecart to talk about 12 cybercriminal groups actively using the hacking techniques.

Group-IB’s study involved an in-depth analysis of JS-sniffers’ darknet market as well as the underpinning infrastructure and monetization methods criminal hackers have harnessed in order to make millions through the website hacking technique.

RELATED Magecart blamed for Sotheby’s Home breach