Payment card skimming that steals customers’ personal information from e-commerce sites has become a booming industry in the past six months, with high-profile attacks on Ticketmaster, British Airways, Newegg, and Alex Jones’ InfoWars, to name a few. few. In a sign of the times, security researcher Jérôme Segura saw two competing teams going head to head for control of a vulnerable spot.
The site is owned by a sportswear retailer Umbro Brasil, which was born on Tuesday morning has been infected by two rival skimmer groups. The hacker group first planted sensitive JavaScript on the site that allowed it to send payment card information to attackers as customers were completing a sale. The malicious JavaScript looks like this:
The code is sent back to the exfiltration server.
Malwarebytes
Formation of the Mageart race
The rival gangs are part of “Magecart,” an umbrella term given to several criminal groups that are fighting each other to infect e-commerce sites with skimmers. A The report was published last week by security company RiskIQ counts at least seven such groups, but the actual number is likely higher. This explosion in the number of bad actors is a result of the shift to web-based business on insecure servers.
The RiskIQ report explains:
The advent of online shopping changed the global economy, moving spending away from brick-and-mortar establishments to digital storefronts. Online spending is overwhelming for shopping behemoths such as Amazon and Alibaba, as well as many small and medium-sized stores. It also creates a space for a new hidden economy to grow around the theft and sale of credit card data.
As with other business supply chains, we specialize in the cyber criminal area. Software developers create applications for stealing card data from compromised stores but are not part of the actual deal. They earn money by either selling their equipment or entering into profit-sharing agreements with groups or individuals who contract with organizations and then use their equipment to issue skimmers and steal card data. Criminals can compromise stores through their own means, or they can buy access to compromised vendor sites through illegal stores on the Dark Web where such access is being sold. The price for each hacked vendor site is set according to its value as determined by those running the illegal stores.
Once the card data is stolen, it must be monetized. There are illegal stores that specialize in selling stolen card data. Presumably, the parties that buy the cards use them to make purchases. Criminal organizations can also cut out the middleman and instead allow unsuspecting people to receive products purchased with stolen card data and reship them overseas to criminal organizations, who then sell the products in other countries. – their language.
This economy is currently supporting many groups and individuals who have moved to take advantage of the opportunity presented by card theft at the time of online shopping.
The RiskIQ report comes a day after Dutch researcher Willem de Groot published one separate analysis Report that one in five sites infected with Mageart skimmers are reborn after becoming infected. The researcher tracked more than 40,000 infected homes since 2015, 5,400 of them in the last three months.
The reports indicate a perfect storm of the type that caused the outbreaks. The difficulty of securing the sites and the past successes in being big name sites are encouraging more and more criminal groups to enter the booming space. There is only so much customers can do. Stealing away from small sites can help, but as the infections of Ticketmaster, British Airways, and Newegg show, large sites are also hacks. That leaves monitoring bank statements as the most effective measure most people can take.
At the time this post goes live, Umbro Brasil is infected by both teams. It is almost certainly not the only site with this unfortunate difference.