Magecart runs undetected for two-and-a-half-years: hits 40 new sites

Credit card skimmers behind Magecart scheme evaded detection for 30 months by using the fake content delivery network

Researchers^[1] reported a Magecart skimming operation^[2] that was active for more than 2,5 years and targeted platforms like magazine printing firm.^[3] The particular magazine platform failed to respond to alerts about shady activities, so keyloggers continued to run on payment webpages and performed attacks against customer payment card information and similar data.

Apparently Magecart attack was active since August 2017. Victims of the skimming operation were users who subscribed to the printed version of the ESPN Magazine, “Stars and Stripes” military publication, and many other sites printed on the same printing platform. However, the research showed that at least 18 keyloggers were used to collect the particular credit card data for hacking groups for 30 months. This is the longest skimming operation of Magecart discovered.^[4]

Threat actors cloaked their credit card skimmers with fake content delivery network domains, so their traffic got successfully hidden. Magecart works by injecting malicious JavaScirpt-based scripts into checkout pages of e-commerce stores after hacking those sites. The main goal of attackers is to collect payment information submitted by customers. This personal and credit card data can get sent to remote sites controlled by attackers.^[5]

Trends among web skimmers

It is known that threat actors use legitimate brands, sites, and infrastructures. It is also known that web skimmers can found their way on various platforms to exfiltrate data, hide their tracks. Lookalike domains are not new, but the unique trend that researchers have observed not long ago, includes mimicking Google Analytics. This service gets used by pretty much every site for their ranking and statistics.^[6]

Scammers used two different domains that pretended to be Amazon’s CloudFront content delivery network or CDN. Typically the second piece of the infrastructure gets used for data exfiltration. In this case, it acts as an intermediary attempt to hide the actual server used for exfiltration.

Server exposed via ngrok

This time free ngrok service – a reverse proxy software got used. These combinations of tricks allowed fraudsters to create a custom scheme and attempt to evade detection. The library that got analyzed and revealed all the details about the content delivery network domains, contained malicious code that searched for credit card numbers within online store pages.

Once the checkout page matches the current URL data gets collected from the platform. Typically such targeted data includes names, addresses, emails, phone numbers, credit card information.

Malware researcher, Jérôme Segura, that exposed web skimmers stated:

Threat actors know they typically have a small window of opportunity before their infrastructure gets detected and possibly shutdown. They can devise clever tricks to mask their activity in addition to using domains that are either fresh or belong to legitimate (but abused) owners.

Skimmer operation timeline

The firsts skimmer that was used kept stealing payment data until February of 2019. Then fraudsters replaced it with a new one that was able to exfiltrate user keystrokes to http://jackhemmingway.com/editonepost.com/gate.php. This gate.php is the sniffer kit widely used by various scammers and is an indication of Magecart operations. This kit sells for $950 on the dark web.

It total fraudsters changed skimmers between seven particular versions. Some of them were running for a couple of weeks only. Magecart skimmers switched to additional collecting points a few times:

• 3rd Apr 2019: http://joyjewell.com/gate.php
• 30th Apr 2019: https://thefei.com/usballiance.org/admin/gate.php
• 5th May 2019: https://thefei.com/boomerlifestage.com/admin/gate.php
• 21st July 2019: http://bizlawyer.org/cg-bin/gate.php.