Cybercrime group thought to be behind spate of online attacks

A Magecart group has been unmasked as. being behind a wave of card-skimming attacks

Researchers have ‘decloaked’ a new Magecart threat group responsible for a wave of attacks against e-commerce websites.

So-called Magecart attacks utilize web injections to deploy JavaScript code on Magento websites that skims and steals payment card information from retail website customers.

Once believed to be the work of a single cybercrime gang hitting high-profile targets including Ticketmaster and British Airways, Magecart-style attacks have now evolved and have been adopted by numerous threat groups.

RiskIQ has today (November 12) published a report into the activities of Magecart group 12. The threat actors were previously associated with an attack against Adverline, a French advertising agency, and are believed to be responsible for a recent wave of attacks against online retail sites.

The September info-stealing spree, as documented by Sansec, impacted at least 2,806 e-commerce domains. Each store was running Magento 1, a CMS build that reached end of life – and, therefore, end of support – on June 30.


BACKGROUND Unsupported Magento 1 still powers more than 200,000 e-commerce sites

‘Incalculable’ impact

Sansec estimates that one of the stores alone was responsible for the loss of “thousands” of customers’ payment records. The overall impact is potentially incalculable.

The campaign was uncovered due to the use of a unique skimmer, dubbed “Ant and Cockroach” by RiskIQ.

An analysis of internal data, alongside research previously conducted by Sansec, Sucuri, Malwarebytes, and cybersecurity researcher Antoine Vastel, has led the company to believe the skimmer is the work of Magecart group 12.

Links have been identified with Magecart group 12 infrastructure through a Russian hosting provider, Svyaz, which has hosted domains connected to the skimmer.


Read more of the latest cybercrime news


Ant and Cockroach is not run-of-the-mill malware. While the payload only employs light obfuscation for its loader, heavy radix obfuscation is used to hide the main skimmer.

The radix method is distinctive, although not new, and is broadly described as converting strings to radix representation in order to obfuscate malicious code.

During the September wave, regex checks were performed to ensure the code was loaded on checkout pages. This process was linked to past Magecart 12 activities, the only difference being that the checks were recently shifted from the skimmer itself to its loader.

Recently, Magecart group 12 has also been connected with the use of web injections to covertly install cryptocurrency miners on vulnerable websites.

More to come

Jordan Herman, threat researcher at RiskIQ, told The Daily Swig that Magecart groups will likely become more active over the December holiday season, particularly as the coronavirus pandemic has forced shoppers to buy online.

Herman said: “As you can see, this group’s infrastructure is expansive, so they will continue to operate and probe soft spots for attacks, often looking for ways to breach many sites at once, such as through supply chain attacks.

“With holiday shopping expected to ramp up and be busier than ever with many consumers avoiding brick and mortar stores, Magecart groups like group 12 will look to capitalise.”


READ MORE Magecart gang bypasses iframe protection on hosted payment site