Group 4 uses an “odd” anti-analysis technique, with a fingerprinter injected at the bottom of the benign script normally served as a decoy

Whether you are a frequent flyer or a music lover, if your credit card details have been stolen online by hackers over the past few years there’s a significant chance that the Magecart threat group was blamed.

Enterprises from British Airways to Ticketmaster and scores of lower profile businesses have all been hit by the group, which typically uses a JavaScript skimmer that is embedded into e-commerce pages.

And the group is now turning to highly unique counter-intelligence techniques to check if adversaries like law enforcement or threat researchers are trying to analyse its skimmers, a new report warns.

What is Magecart?

So what is/who are Magecart? Is it a single group? An umbrella term for anyone using such malware-as-a-service? And what can be done to protect against these increasingly widespread and automated attacks?

In a joint, 59-page report this week cybersecurity company RiskIQ and business risk intelligence specialist Flashpoint said that they have identified the unique characteristics of seven different Magecart groups.

And in a bid to help combat the threat, the two companies supplied thousands of domain names that are indicators of compromise (IOC) by Magecart, with an extensive list (see below) that includes so-called drop servers as well as the malicious code injection servers.

An Evolving Modus Operandi

The two companies identified the groups by analysing unique sets of infrastructure (pools of IP addresses, domains and specific server setup fingerprints); skimmers (unique obfuscation techniques and loading strategies) and targeting (each uses different methods to reach their victims).

Yonathan Klijsnma, head researcher at RiskIQ said: “The Modus Operandi of the web-skimming Magecart groups has evolved significantly and has been ramping up over the past two years…It’s likely one of the biggest threats facing e-commerce right now.”

The original Magecart skimmer comprised JavaScript embedded into e-commerce pages. Whenever card data was entered into a form, the skimmer copied the form and sent the stolen card data to a drop server. In this skimmer version, the drop server was the same as the one serving the skimmer.

RiskIQ said: “Though it has evolved over the years, tailored by other groups to better fit their needs, the basic elements of the skimmer are still in use.”

Variations are significant however.

Group 3’s skimmer for example, instead of checking if it is running on a checkout page by evaluating the URL location of the page, checks if any of the forms on that page hold payment information.

Magecart Analysis: A Sample Skimmer

The skimmer executes every 700 milliseconds and performs three steps to ensure it has the name and address for the person paying, which may be entered in a different step and on a different page than the one in which payment details are entered, RiskIQ said.

“By putting the data in local storage, Magecart operators can confirm that they have all the data they need before sending it off. The final step is exfiltrating the skimmed data. The data is [then] concatenated into one large JSON object. This data is then sent to the drop server in a POST request”.

Group 4, meanwhile, tries to blend in with normal web traffic: “It registers domains mimicking ad providers, analytics providers, victim’s domains, and anything else that can be used to hide in plain sight… As a way to blend in with network traffic, Group 4 changes the file paths to image file extensions instead of normal JavaScript extensions.”

RiskIQ and Flashpoint said: “We strongly believe this group originates from another crime business involved in malware distribution and hijacking of banking sessions using web injects. The skimmer and method of operation have a strong similarity to how banking malware groups operate.”

They added: “Something to note: You don’t just jump into the business of web skimming, and with many of these Magecart groups—especially the more sophisticated ones—it’s clear they have a deep history in digital crime.”

Counter-Intel Techniques

In an alarming sign of the growing sophistication of such groups, meanwhile, another one of them, Group 4, in September started fingerprinting visitors to find people who might be trying to analyse its skimmer.

RiskIQ’s researchers said: “This fingerprinter was injected at the bottom of the benign script normally served as a decoy until a shopper hits the payment page. The script itself was an attempt at anti-analysis but done in an odd way.”

“The code added to the bottom of the benign script would check if the user visiting were on a mobile device and if this person had their developer toolbar open. But even more interesting is that Group 4 was performing a timing anti-analysis trick.”

They explained: “The concept behind it is that when a piece of code runs a CPU, it’s rather fast at executing all the instructions, but when a human analyzes the code or some trace analyzers run the code, it tends to execute slower. Group 4’s fingerprinter tested for this slowdown in code, which is something we had never seen used in JavaScript before.” (It has been used before with/by malware).

Tackling the Magecart Threat

Warning that the lack of visibility by most organisations into their internet-facing attack surface means they’re unaware of their vulnerabilities and if they’ve been breached, the two urged e-commerce providers of any size to conduct integrity checking, such as monitoring servers for any file modifications.

(RiskIQ crawls two billion web pages per day and monitors all resources from a user’s perspective on web pages to detect changes, both locally hosted or remote, so it can notify website owners as soon as they occur.)