Magecart-related group hits 570 websites, taking 184,000 card numbers

Written by

Hackers who targeted 570 e-commerce sites to steal customer financial information compromised more than 180,000 payment cards as part of a covert fraud effort, according to new research analysis.

The group, known as “Keeper,” inserted malicious computer code onto the sites, typically by exploiting weaknesses in technology provided by the sites’ third-party software suppliers. The attack technique, broadly known as Magecart, has struck many thousands of merchants in recent years, ranging from British Airways and NurtiBullet to smaller stores.

Gemini Advisory, a threat intelligence startup that scans criminal forums for stolen payment card data, announced the latest campaign in a report published Tuesday.

Since April 2017, the Keeper group has aimed to infect 570 websites based in 55 countries, most often in the U.S., U.K. and the Netherlands. Researchers found an unsecured access log belonging to the Keeper group containing 184,000 compromised payment cards from between July 2018 until April 2019, a stash that Gemini calculated would be worth some $7 million on illicit forums.

Magecart hackers, of which there are more than a dozen loosely defined groups, according to prior RiskIQ findings, typically scan content management systems, and e-commerce payment platforms. Upon finding software flaws, attackers tweak the code on an unwitting website in a way that enables outsiders to siphon off key data, such as card numbers, customers names and other data to facilitate fraud.

Eighty-five percent of the sites examined by Gemini Advisory relied on Magento software, which sells software to help web stores launch their own marketplace. Affected sites included an American wine and liquor seller, a South African electrical wholesale firm and an online jewlery store based in India, researchers found.

“In mid-2020, Magecart attacks have become a daily occurrence for small to medium-sized e-commerce businesses in the United States as well as the rest of the world,” the report noted.

Similar attacks recently have struck Click2Gov, an online payments platform favored by municipal governments, resulting in data breaches in eight U.S. cities.

Recorded Future also announced on Tuesday an investment in Gemini Advisory, which was co-founded by Andrei Barysevich, the former director of advanced collection at Recorded Future and a specialist in cybercrime analysis. Terms of the deal were not disclosed.

“This show of support for the work we’re doing is confirmation of our vision and will position us to accelerate the development of our asset and payment breach monitoring capabilities, as well as improve our capacity for fraud prevention research,” Barysevich said in a statement.