Magecart, the e-commerce payment card-skimming threat that has recently victimized Ticketmaster, British Airways, Newegg and other notable companies, is primarily comprised of six major active cybercriminal groups, according to a new joint research report. All of these groups use a version the same skimmer toolset, but they rely on different strategies and in some cases have evolved the malware.

Released jointly by RiskIQ and Flashpoint, the report profiles these half-dozen groups, while noting that many more groups and individuals also play a smaller role within the greater Magecart ecosystem.

The original Magecart, Group 1, reportedly dates back to 2014-15, but no longer exists in its original incarnation.This actor introduced the Magecart skimmer, secretly embedding e-commerce pages with a JavaScript-based tool that would copy data entered into online forms and then send it to a drop server. This would form the foundation for all future Magecart activity. One of the group’s early schemes involved tricking U.S.-based job seekers into shipping items purchased with the stolen credit card numbers to Eastern Europe. 

Group 1, which compromised over 2,500 online stores eventually evolved into what RiskIQ and Flashpoint now call Group 2. But its tactics remain similar — both versions of the threat actor are known to victimize a wide range of targets and monetize stolen card information using reshipping scams.

Group 3 appeared in 2016 and has skimmed from more than 800 online stores, the report continues. But this actor’s skimmer works differently in the way it determines whether or not it’s running on a checkout page: it looks for forms containing payment information rather than checking the URL location. Many of the forms it targets come from payment vendors based in Latin America — thus revealing a potential geographic preference in these attacks.

Debuting in 2017, Group 4 is a particularly crafty group with a victim count of over 3,000 stores.

“We strongly believe this group originates from another crime business involved in malware distribution
and hijacking of banking sessions using web injects,” states the report, authored by RiskIQ researchers Yonathan Klijnsma and Jordan Herman, and Flashpoint director of research Vitali Kremez. “The skimmer and method of operation have a strong similarity to how banking malware groups operate.”

The researchers note that Group 4 attempts to “blend in with normal web traffic” through a number of tactics, including registering domains that impersonate their own targets as well as ad and analytics providers. Additionally, this group’s skimmer is a more complex, expansive tool that acts as a malicious overlay superseding legitimate payment forms. Group 4 also employs fingerprinting in order to identify individuals who may be trying to analyze the skimmer.

Group 5 is known to compromise third-party online service providers as a means to later target their e-commerce clients via supply chain attacks. This methodology allows the actor to steal data from thousands upon thousands of companies simply by infecting a small number of third-party companies whose services interact and integrate with these myriad targets.

The researchers state that this is the group responsible for a breach at Ticketmaster UK, which last June disclosed that malicious software on a customer support product hosted by Inbenta Technologies was exporting customers’ data to an unknown third-party.

Among the newest actors is Group 6, which the report calls the “most high-profile Magecart group” due to its headline-generating attacks against British Airways and Newegg this year. The researchers suspect this group is highly focused on top-tier targets because it’s possible to lift high volumes of customers data from such companies even if the skimmer is quickly discovered and shut down.

Group 6 has monetized its stolen data by selling it on a dump and credit card shop, the report continues.

Finally, the report references Group 7, which despite emerging in 2018, has already victimized at least 100 stores. The researchers have not yet pinpointed a specific m.o. for this group. However, they did make an interesting observation on how the group exfiltrates stolen information: “Instead of using a dedicated host for the injection and the drop, this group uses compromised sites as proxies for its stolen data,” the researchers note. “Because Group 7 uses compromised sites, they are difficult to take down.”

In addition to profiling Magecart’s six main current actors, the joint report also covers other related threat groups, as well as underground/dark web commercial operations linked to the threat.