Magecart Group Switches Up Tactics with MiTM, Phishing

This new skimming/phishing hybrid threat tactic means that even stores that send customers to external payment processors are vulnerable.

A fresh splinter group under the Magecart umbrella has been discovered ramping up activity starting in August-September of 2019. It’s using a unique codebase and different tactics to carry out its attacks, according to researchers.

Magecart is an umbrella term encompassing several different threat groups who all use the same modus operandi: They compromise websites (mainly built on the Magento e-commerce platform) in order to inject card-skimming scripts on checkout pages, stealing unsuspecting customers’ payment card details and other information entered into the fields on the page.

According to an analysis from RiskIQ, the new group, dubbed Full(z) House by researchers, has innovated when it comes to the Magecart blueprint. It gets its name from using two different attack approaches: Phishing and web skimming. For the former, it’s using generic phishing to gather and sell “fullz,” an underground slang term meaning a full set of an individual’s personally identifying information plus financial data. They have a dedicated store for this purpose, researchers found, called “BlueMagicStore.” In web-skimming arena, the group is harvesting during e-commerce checkouts, and selling credit-card information on its carding store, which is named “CardHouse.”

“At times, we find criminal groups operating for a long time in one particular ecosystem dip their toe in another and experiment with new methods of monetizing,” said RiskIQ researchers, writing in a post on Tuesday. “For example, last year, Magecart Group 4, which seemed to operate in a banking malware ecosystem, began performing card-skimming attacks.”

In their analysis, RiskIQ researchers saw some overlap in the attack infrastructure used to carry out both types of attacks. And, the Dark Web stores also have infrastructure overlap with this operational apparatus.

BlueMagicStore’s inventory comes from active phishing campaigns targeting customers of various financial institutions, the researchers found.

“The [phishing] pages are part of a framework,” they wrote. “They have different templates mimicking every payment provider they implement, but the backend dealing with the information is one and the same for all. While the group uses many different domains, their favorite phishing target remains PayPal.”

On the card-skimming front, the group wrote its own skimmer, according to RiskIQ – which is an unusual move.

“The majority of criminals rely on skimming kits, buying pre-made skimmers from others—there are only a handful of operators now that maintain their own code,” they said.

The skimmer masquerades as a Google Analytics script. It hooks into every input field, and waits for an input change to check if there’s data to steal.

“This implementation is primitive and works more like a keylogger with data validation than a skimmer,” said the researchers. “These criminals are new at skimming and figuring it out as they go….[however, they did] introduce a clever technique that performs a man-in-the-middle (MiTM) attack on e-commerce transactions.”

To carry the MiTM attacks out, the group sets up a page with a template mimicking a known payment processor. When a user attempts to buy something on a compromised store, the store redirects the visitor to a fake payment page where the shopper enters their financial information. That’s then collected by the attackers.

“We have been chronicling Magecart and other web-skimming groups and chronicling changes in tools and tactics,” according to the researchers. “The Fullz group crossed over from the phishing ecosystem to bring an entirely new skill set to the online skimming game. Creating fake external payment pages masquerading as legitimate financial institutions and then redirecting victims to these phishing pages to fill out their payment data adds a new element to the web-skimming landscape. This new skimming/phishing hybrid threat tactic means that even stores that send customers to external payment processors are vulnerable.”

Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.