MageCart Group Use Improved Skimmer to Steal Payment Card Data

Delaware, USA – March 1, 2019 – Successful MageCart attacks attract an increasing number of cybercriminals, skilled enough to compromise a website and install a skimmer. In November, it was believed that seven different competing groups carried out attacks that remain undetected for months, and after security officers detect the compromise and remove malicious code, they reinfected the site within 24 hours. To date, researchers from RiskIQ have already recorded 12 different groups, differing in both compromise techniques and the code used. Group 4 is the most skillful of them, its members continually improve their tools and the infrastructure. This group reduced the number of domains used during operations by about 20 times, leaving only a few on one IP address, which acts as a proxy, redirecting the data to real servers. The stolen information is sent to several servers at once, and therefore, in case of shutting down any part of the infrastructure, the operation will continue without losing effectiveness.

The skimmer used by Group 4 has also undergone significant changes. The number of lines of code of the primary tool has decreased by ten times, while malicious actions became even more stealthy, and now the data is additionally encrypted with the RSA public-private key before transmission. Despite the fact that MageCart attacks are carried out since 2015, rapid growth in their number started in late summer 2018, and with an increase in the number of players in this area, different groups started changing their techniques and improving tools. To detect attacks injecting malicious code into your publicly available resources, you can use the Web Application Security Framework rule pack: https://my.socprime.com/en/integrations/web-application-security-framework-hpe-arcsight