The Magecart group is not the only hacking collective targeting online e-commerce stores en masse. Known as Keeper, this cybercrime group has successfully broken into online store backends to change their source code and insert malicious scripts. These scripts stole payment card details taken from checkout forms. More than 570 online stores have been hacked in the past three years.
Keeper Magecart Hacking Group Attacks
The Keeper hacking group has been performing web skimming, e-skimming, and attacks similar to Magecart. Gemini researchers who analyzed the attacks, named the group Keeper Magecart. The Keeper name derives from the repeated usage of a single domain called fileskeeper[.]org. The domain has been used to inject malicious payment card-stealing JavaScript (JS) into victim websites’ HTML code, as well as receive harvested card data.
According to Gemini, the group is operating with an interconnected network of 64 attacker domains and 73 exfiltration domains. Nearly 600 online store in 55 countries were targeted between now and April 1, 2017. The attacks are ongoing.
The Keeper exfiltration and attacker domains use identical login panels and are linked to the same dedicated server; this server hosts both the malicious payload and the exfiltrated data stolen from victim sites, Gemini’s report says.
Another key finding of the report is that at least 85% of the affected sites operate on the Magento CMS which has been the top target for the Magecart hacking groups. Most hacked online stores were located in the United States, followed by the UK and the Netherlands.
The researchers also discovered an unsecured access log on the Keeper control panel which held 184,000 compromised payment cards with time stamps ranging from July 2018 to April 2019:
Extrapolating the number of cards per nine months to Keeper’s overall lifespan, and given the dark web median price of $10 per compromised Card Not Present (CNP) card, this group has likely generated upwards of $7 million USD from selling compromised payment cards.
Why are attacks against Magento online stores so successful?
To no one’s surprise, the very first reason is running on an outdated version of the content management system, in this case Magento. Reason number two is utilizing unpatched add-ons. A third option, as pointed out by Gemini researchers, is “having administrators’ credentials compromised through sequel injections” which leaves e-commerce merchants vulnerable to a variety of attack vectors.
Keeper Magecart Capable of Various Attacks
The level of difficulty of the Keeper Magecart group’s attacks varies. Gemini has uncovered thousands of attacks, including simple dynamic injection of malicious code via a malicious domain, and leveraging Google Cloud or GitHub storage services and steganography to embed malicious code into active domains’ logos and images for stealing payment card data. The most troublesome part, however, is that this group continues to evolve and improve its malicious techniques.
In April 2020, the Magecart group introduced a new skimmer known as MakeFrame. According to RiskIQ researchers, the skimmer uses iframes to harvest data, where the name comes from.
The MakeFrame skimmer was first detected at the end of January. Since then, several versions have been caught in the wild, presenting various levels of obfuscation. In some cases, the researchers say they have seen MakeFrame using compromised sites for all three of its functions—hosting the skimming code itself, loading the skimmer on other compromised websites, and exfiltrating the stolen data.
“There are several elements of the MakeFrame skimmer that are familiar to us, but it’s this technique in particular that reminds us of Magecart Group 7,” RiskIQ said.