Less than a fifth of digital skimming activity at the start of the year was linked to Magecart groups, as cheap tools lowered the barrier to entry for less sophisticated cyber-criminals, according to new research.
RiskIQ analyzed the cybercrime underground and customer environments across the first quarter of 2022 to better understand the latest trends in a market that used to be dominated by Magecart.
It found that just 18% of detections in the quarter were traced back to one of the several groups using Magecart skimmers. By contrast, 40% were attributed to “generic, potentially modular, or commodity skimmer kits.” That’s more than double the figure of March 2021.
Magecart refers to several distinct cybercrime groups that virtually pioneered the use of malicious JavaScript to steal credit card details. The malicious code is injected onto the payment pages of e-commerce sites either directly or via the victim organization’s supply chain partners.
Its name comes from Magento, the first type of third-party shopping software targeted back in 2016. Big-name victims over the years include Ticketmaster and British Airways.
However, the availability of cheap, easy-to-use skimmers is changing the underground market, RiskIQ claimed.
“The recent growth of commodity malware and ransomware highlights a natural progression into commodity and kit skimmers,” it said. “Easily modifiable with high profitability potential, skimmers with relatively simple functionality can be altered in minor ways to suit new criminals.”
This is not to say Magecart is in permanent decline: RiskIQ observed twice as many detections related to Magecart’s C&C infrastructure in Q1 2022 compared to March 2021.
“Magecart Group 7, Group 12, and Group 8 remain highly active while changing very little in their operations,” it warned.
“In this case, the adage, ‘don’t fix what isn’t broken,’ applies. When targeted retailers remain unaware of skimmer activity, threat actors will continue to operate with their tried and tested, effective scheme.”