Magecart Black Hats Battle it Out On Infected Site

Written by

Groups of cyber-criminals vying for supremacy on the dark web are sabotaging each other’s attempts to skim customer card details from victim e-commerce sites, according to researchers.

Two groups spotted by Malwarebytes head of investigations, Jérôme Segura, had both infected the Brazilian website of sportswear brand Umbro with the infamous Magecart skimming code.

The first loads its code via a fake BootStrap library domain bootstrap-js[.]com and exfiltrates the data in a standard JSON output, while the second group loads from g-statistic[.]com, is heavily obfuscated, and attempts to interfere with the operation of the first.

“Before the form data is being sent, it grabs the credit card number and replaces its last digit with a random number. By tampering with the data, the second skimmer can send an invalid but almost correct credit card number to the competing skimmer," Segura explained.

“Because only a small part of it was changed, it will most likely pass validation tests and go on sale on black markets. Buyers will eventually realize their purchased credit cards are not working and will not trust that seller again.”

Multiple infections on a single site are not uncommon, and stem from poor web security, but the direct competition from the two groups highlights the popularity of Magecart among the black hats, and the potentially large financial rewards on offer.

RiskIQ recently revealed that card details belonging to BA and Newegg customers went up for sale within a week of being harvested, potentially generating millions in revenue. That report lists six groups operating the Magecart code, although there are likely to be more.

In fact, RiskIQ threat researcher, Yonathan Klijnsma tweeted that the above skirmish involved Group 3 “being bullied” by a Group 9.

“Website owners that handle payment processing need to do due diligence in securing their platform by keeping their software and plugins up-to-date, as well as paying special attention to third-party scripts,” concluded Segura.

“Consumers also need to be aware of this threat when shopping online, even if the merchant is a well-known and reputable brand. On top of closely monitoring their bank statements, they should consider ways in which they can limit the damage from malicious withdrawals.”

What’s hot on Infosecurity Magazine?