A growing threat group within the Magecart family of criminals has evolved to skim data not only from website visitors – but also from site administrators as well. This new capability could allow Magecart bad actors to escalate attacks and infiltrate organizations, researchers said.
The group in question, dubbed Group 11, was behind the recent contact lenses merchant VisionDirect’s data breach in November. In that attack criminals stole the data of customers who visited the merchant’s website using a digital skimmer. But in a fresh analysis of Group 11 and the attack, posted Tuesday, researchers at RiskIQ said that adversaries have added a new keyword filtering trick to its arsenal.
The new feature arms Group 11 with the capability to do something never before seen in a Magecart-affiliated groups, such as steal credentials (or essential data) from site administrators.
“This change in keyword filtering is a new development, but we aren’t surprised to see it,” said RiskIQ researchers Yonathan Klijnsma and Jordan Herman. “Web-skimming has many merits for threat actors and can be used for many things. Stealing credentials is something we expected to see much earlier but it seems to have only just now hit this group’s operational side.”
VisionDirect Breach – Bigger Than Thought
That data includes full names, addresses, telephone numbers, email addresses, passwords and payment card data (card numbers, expiration dates and CVV numbers) for visitors of VisionDirect.co.uk.
However, RiskIQ researchers on Tuesday said they had discovered two features of the breach making it much more insidious.
First, the breach extended far beyond the company’s UK website, to include six other countries, including Italy, Spain, Ireland, France, Belgium and the Netherlands.
These sites use the same design template and are all hosted on the same IP – meaning that Group 11 was able to compromise all sites at the same time by hitting that main server.
More importantly, Group 11’s skimmer has added some capabilities that also steal credentials or essential information from administrators. While the skimmer is not different than the skimmers of other Magecart-affiliated groups, the way that Group 11 uses it in relation to keywords is.
Magecart is known for its use of web-based, digital card skimmers, which use scripts injected into websites to steal data that’s entered into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites. These other skimmers use keywords to filter down the pages to make sure that payment forms are being skimmed.
“The URL path filtering, typically used to ensure a skimmer is operating on a payment page only, includes keywords that indicate targeting of other pages including login and administrative pages,” researchers said.
“Getting administrative credentials or information could be useful for further breaching an organization,” Klijnsma told Threatpost. “As for web visitors’ data, Group 11 could be trying to get to the stored information or credential stuffing attacks across different retailers for people that re-use their credentials. This is also the case for the harvested administrative information.”
Magecart: A Continual Threat
The Magecart group, in operation since 2015, has been blamed for an array of recent breaches, including one of the most prolific card-stealing operations seen in the wild to date, as well as a massive breach of Ticketmaster earlier in the year, Klijnsma told Threatpost during a recent podcast interview.
Magecart is made up of a variety of different groups (RiskIQ identified seven) – each with their own set of tools and characteristics.
For instance, “Group 5” was behind the Ticketmaster breach, while “Group 6” was behind the British Airways and Newegg breaches.
“Group 11” for its part was first observed in early 2017 and, despite a relatively small infrastructure compared to other groups, they have been able to compromise a large portion of websites, researchers said, which could be “well over a hundred in our recent data but seeing as their activities stem from 2016, there will be lots more out there,” Klijnsma told Threatpost.