Group 4 uses an “odd” anti-analysis technique, with a fingerprinter injected at the bottom of the benign script normally served as a decoy
Whether you are a frequent flyer or a music lover, if your credit card details have been stolen online by hackers over the past few years there’s a significant chance that the Magecart threat group was blamed.
And the group is now turning to highly unique counter-intelligence techniques to check if adversaries like law enforcement or threat researchers are trying to analyse its skimmers, a new report warns.
What is Magecart?
So what is/who are Magecart? Is it a single group? An umbrella term for anyone using such malware-as-a-service? And what can be done to protect against these increasingly widespread and automated attacks?
In a joint, 59-page report this week cybersecurity company RiskIQ and business risk intelligence specialist Flashpoint said that they have identified the unique characteristics of seven different Magecart groups.
And in a bid to help combat the threat, the two companies supplied thousands of domain names that are indicators of compromise (IOC) by Magecart, with an extensive list (see below) that includes so-called drop servers as well as the malicious code injection servers.
- Magecart IoCs: Groups 1&2
- Magecart IoCs: Group 2
- Magecart IoCs: Group 3
- Magecart IoCs: Group 4
- Magecart IoCs: Group 5
- Magecart IoCs: Group 6
An Evolving Modus Operandi
The two companies identified the groups by analysing unique sets of infrastructure (pools of IP addresses, domains and specific server setup fingerprints); skimmers (unique obfuscation techniques and loading strategies) and targeting (each uses different methods to reach their victims).
Yonathan Klijsnma, head researcher at RiskIQ said: “The Modus Operandi of the web-skimming Magecart groups has evolved significantly and has been ramping up over the past two years…It’s likely one of the biggest threats facing e-commerce right now.”
RiskIQ said: “Though it has evolved over the years, tailored by other groups to better fit their needs, the basic elements of the skimmer are still in use.”
Variations are significant however.
Group 3’s skimmer for example, instead of checking if it is running on a checkout page by evaluating the URL location of the page, checks if any of the forms on that page hold payment information.
Magecart Analysis: A Sample Skimmer
The skimmer executes every 700 milliseconds and performs three steps to ensure it has the name and address for the person paying, which may be entered in a different step and on a different page than the one in which payment details are entered, RiskIQ said.
“By putting the data in local storage, Magecart operators can confirm that they have all the data they need before sending it off. The final step is exfiltrating the skimmed data. The data is [then] concatenated into one large JSON object. This data is then sent to the drop server in a POST request”.
RiskIQ and Flashpoint said: “We strongly believe this group originates from another crime business involved in malware distribution and hijacking of banking sessions using web injects. The skimmer and method of operation have a strong similarity to how banking malware groups operate.”
They added: “Something to note: You don’t just jump into the business of web skimming, and with many of these Magecart groups—especially the more sophisticated ones—it’s clear they have a deep history in digital crime.”
In an alarming sign of the growing sophistication of such groups, meanwhile, another one of them, Group 4, in September started fingerprinting visitors to find people who might be trying to analyse its skimmer.
RiskIQ’s researchers said: “This fingerprinter was injected at the bottom of the benign script normally served as a decoy until a shopper hits the payment page. The script itself was an attempt at anti-analysis but done in an odd way.”
“The code added to the bottom of the benign script would check if the user visiting were on a mobile device and if this person had their developer toolbar open. But even more interesting is that Group 4 was performing a timing anti-analysis trick.”
Tackling the Magecart Threat
Warning that the lack of visibility by most organisations into their internet-facing attack surface means they’re unaware of their vulnerabilities and if they’ve been breached, the two urged e-commerce providers of any size to conduct integrity checking, such as monitoring servers for any file modifications.
(RiskIQ crawls two billion web pages per day and monitors all resources from a user’s perspective on web pages to detect changes, both locally hosted or remote, so it can notify website owners as soon as they occur.)