Old Magecart Domains Come Back To Life

Uploaded on 2019-09-26 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

Hacking groups that make up Magecart are effective and persistent at stealing customer and payment card data through skimmers. Now old Magecart domains are finding new life in subsequent threat campaigns, many of which are entirely unrelated to web skimming. 

Magecart is a consortium of malicious hacker groups who target online shopping cart systems, usually the Magento system, to steal customer payment card information

Shopping carts are attractive targets because they collect payment information from customers. The Magecart hacker often substitutes a piece of Javascript code, either by altering the Magento source or by redirecting the shopping cart using an injection to a website that hosts the malware. 

Magecart is known to have been active since 2016 and is quite prolific. Now RiskIQ has just released research Report that exposes the hijacking and reuse of decommissioned domains used in Magecart web-skimming attacks by a secondary market of cybercriminals. 

This Report explains how Magecart has so radically changed the threat landscape, victimising hundreds of thousands of sites and millions of users, that other cyber-criminals are now building campaigns to monetise their handiwork. These secondary actors know that websites breached by Magecart are likely still making calls to domains once used for skimming and exfiltrating credit card data. Once registrars bring these campaigns back online after they were sinkholed or otherwise deactivated, these scavengers buy them up. 

Their goal is to use them for malvertising and other threat activity, monetising the traffic going to the breached websites on which these domains remain.

These secondary actors are likely experienced in affiliate marketing and fraud and are buying up domains they know lead to a lot of traffic. While ads themselves aren't malicious, they are exploiting the vulnerabilities in websites. In the future, threat actors may also engage in other schemes and threat activity far more malevolent than advertising.

In  the recent British Airways hack, Magecart tailored the attack to the specific system, according to the RiskIQ report. 
“This particular skimmer is very much attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer,” the report’s authors wrote.

Magecart is a global phenomenon that’s redefined cyber-security over the past four years. Not only has it victimised hundreds of thousands of sites and potentially millions of users, but it’s also created a secondary market around its infrastructure. 

These secondary markets are likely experienced in affiliate marketing and fraud, and are buying up domains dropped by registrars they know have a lot of traffic coming to them. While the ads themselves aren’t malicious, they are exploiting the vulnerabilities in websites while the site owners don’t benefit. Moreover, in the future, threat actors may also engage in other schemes and threat activity far more malicious than advertising. 

Site owners must maintain visibility into the code on their site, make sure it’s clean, updated, and checked on regularly. RiskIQ works to mitigate Magecart incidents by taking down infrastructure, which disrupts the flow of stolen data. However, this does not keep a website clean forever, dutiful vigilance and maintenance is the only way to prevent being victimised by Magecart and follow-up attacks by secondary markets. 

Google:         CSO Online:          RiskIQ:

You Mght Also Read:

Why Is Retail Cyber Security So Weak?:

Banks And Retailers Track How You Type, Swipe And Tap:

 

« Effective Cybersecurity Requires Both Cyber Training & Insurance Cover
Huawei Will Sell Its 5G Know-How »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Navista

Navista

Navista's hardware and software modules are especially designed to ease the deployment of secure networks.

Security Industry Association (SIA)

Security Industry Association (SIA)

The SIA's mission is to be a catalyst for success​ within the global security industry through information, insight and influence.

SOTI

SOTI

SOTI is an industry leader in Enterprise Mobility Management (EMM).

Cyber 360

Cyber 360

Cyber 360 is a Cybersecurity contract and fulltime placement firm dedicated to identifying and hiring Cybersecurity professionals.

Idaptive

Idaptive

Idaptive delivers Next-Gen Access through a zero trust approach. Idaptive secures access everywhere with single sign-on, adaptive MFA, EMM and analytics.

Corelight

Corelight

Corelight is the most powerful network visibility solution for information security professionals.

Cyber Security Education

Cyber Security Education

CybersecurityEducation.org is an online directory of cyber security education and careers.

CyCraft Technology Corp

CyCraft Technology Corp

CyCraft is an AI company that forges the future of cybersecurity resilience through autonomous systems and human-AI collaboration.

DataTribe

DataTribe

DataTribe is a cyber startup foundry, leveraging deep experience and expertise to build and launch successful product companies.

SafeTech Informatics & Consulting

SafeTech Informatics & Consulting

Safetech's OTShield detects, prevents and analyses cyber-attacks in SCADA and Industrial IoT systems by utilising state of the art deception techniques.

Sencode Cyber Security

Sencode Cyber Security

Sencode provides a range of IT security solutions and services, including penetration testing and cyber awareness training to help mitigate the growing risks to your corporate infrastructure.

Positiwise Software Pvt Ltd

Positiwise Software Pvt Ltd

Positiwise Software offers end-to-end software development solutions to accelerate the digital growth of businesses.

Recast Software

Recast Software

Recast Software exists to simplify the work of IT teams and enable them to create highly secure and compliant environments.

HardTarget

HardTarget

HardTarget is a cutting-edge cyber training company serving HWN (High-Net-Worth) Families and their trusted Advisors.

SGNL

SGNL

SGNL redefines identity-first security by integrating business context, closing critical gaps, and transforming how enterprises manage privileged access for a secure, adaptive future.

LEXORA.BY

LEXORA.BY

Lexora is a group of companies consisting of two companies: Lexora Cybersecurity & Lexora Development. We specialize in developing secure software, conducting cybersecurity audits and pentests.