Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Magecart Group Spotted Operating From War Zone

One of the groups using Magecart to steal customer card data from e-commerce sites is operating out of a war zone in eastern Ukraine, security experts have revealed.

The Malwarebytes Threat Intelligence Team described in a blog post how the location of Luhansk near the border with Russia is an “ideal breeding ground where criminals can operate with total impunity from law enforcement or actions from the security community.”

The attacks detailed by the vendor target Magento e-commerce sites, and use JavaScript disguised as a Google Analytics domain previously associated with the VisionDirect breach of last year.

The researchers found usernames and passwords belonging to hundreds of e-commerce sites, indicating the scope of the campaign, as well as a PHP backdoor used in these attacks.

The so-called exfiltration gate, web servers set up to receive the stolen data, is also disguised as a Google domain. Along with the card details, the attackers are stealing names, addresses, emails, and phone numbers for possible use in follow-on phishing attacks, Malwarebytes claimed.

The hosting server is located in Luhansk, capital of an unrecognized state set up in 2014 by Russian-backed separatists and known as the Luhansk People's Republic. At the center of the war-torn Donbass region, bulletproof hosting services are “safe from the reach of European and American law enforcement,” according to the vendor.

“Choosing the ASN AS58271 ‘FOP Gubina Lubov Petrivna’ located in Luhansk is no coincidence for the Magecart group behind this skimmer. In fact, on the same ASN at 176.119.1[.]70 is also another skimmer (xn--google-analytcs-xpb[.]com) using an internationalized domain name (IDN) that ties back to that same exfiltration gate. In addition, that ASN is a hotspot for IDN-based phishing, in particular around cryptocurrency assets,” it explained.

“Due to the very nature of such hosts, takedown operations are difficult. It’s not simply a case of a provider turning a blind eye on shady operations, but rather it is the core of their business model.”

What’s Hot on Infosecurity Magazine?