[BreachExchange] Researcher finds 1, 236 websites infected with credit card stealers

[Destry Winant]

https://www.bleepingcomputer.com/news/security/researcher-finds-1-236-websites-infected-with-credit-card-stealers/

A security researcher collected in a span of a few weeks over 1,000
domains infected with payment card skimmers, showing that the MageCart
continues to be a prevalent threat that preys on insecure webshops.

MageCart was first spotted over a decade ago by cybersecurity company
RiskIQ but attacks have grown rampant over the past two years when
big-name companies were hit - British Airways, Ticketmaster, OXO,
Newegg.

Since then, automated systems tuned specifically to detect this type
of threat found hundreds of thousands of websites that on checkout
pages malicious JavaScript designed to steal card data from shoppers.

200 alerts sent, no reply

Using freely available tools and some elbow grease, security
researcher Max Kersten was able to compile a list of 1,236 domains
that were hit by a web skimmer hosted on an external domain.

He started with one domain that hosted a skimmer and the Urlscan.io
website scanning service. This allowed searching for a time when the
skimmer domain changed in the infection chain.

“Repeating this process results in a list of all the exfiltration
domains in the chain until it either breaks or the search is stopped.
Additionally, one can recursively query every affected domain to
search for other skimmer domains” - Max Kersten

Most of the domains included in the research are already available
from other sources, since this one-man effort took some time to reach
a conclusion.

Kersten says that his goal is to add to those publicly available
resources from companies (RiskIQ, Sansec, Group-IB, Malwarebytes,
Trustwave) and other researchers (Willem de Groot, Jérôme Segura,
Affable Kraut, Jacob Pimental, and Mikhail Kasimov) on domains hosting
JavaScript code for stealing payment card info.

Although the data is about two to three weeks old, the researcher
believes the results should be roughly the same at this time. The fact
that he received no reply to the 200 notifications he sent to website
owners or administrators adds to this speculation.

In the list he provides, the latest detection date for some domains is
from 2018. This could mean that they are no longer infected or were no
longer checked through URLio.

The endeavor to email all 1,236 companies was stopped by Google’s spam
detection since Kersten’s messages were exactly the same, save for the
affected domain name and the skimmer detection timestamp.

Main suspect: MageCart Group 12

The methodology used for this research is in no way tracking all
MageCart infections but shows that independent work can uncover a
pretty large number of affected online stores.

Clean dishes made easy.
Ad by Best Buy
See More

Kersten found affected domains by using a scanner he made to parse and
store results from Urlscan.io’s API and several rules that detected
the malicious JavaScript. He then removed incorrect and double entries
and subdomains that would have affected the final set of unique
domains.

For the most part, the results from this effort track partial activity
from MageCart Group 12, which is considered a more advanced threat
actor in the web skimming business.

Kersten told BleepingComputer that the confidence level in attributing
infections to this group increases proportionally to the freshness of
the detection date.

In a report published on his blog, the researcher says that 70% of the
online stores compromised in a MageCart attack could be pinged when he
checked if they were reachable.

This only indicates that they’re no longer feeding cybercriminals with
credit card info but shoppers were affected at one point.

Also, some of them were still under development, as indicated by the
generic Lorem Ipsum placeholder text in “about” pages. Despite this,
they did engage in commercial activity.

“Note that not all infections within the data set loaded the actual
skimmer, as the skimmer domain could have been either unreachable or
taken down. This is favourable for the shopping customer, but the
infection on the web shop was still present, as the request was
recorded“ - Max Kersten

Most affected shops are in the U.S.

As for the categories of products sold on compromised websites and
geographical regions, the researcher spent five evenings to check them
manually.

Food-related shops, services, adult items, and miscellaneous products
are the main categories, along with an “unknown” segment that stands
for shops that were not accessible or found in other sources.

Based on Kersten’s research, the country with the most shops impacted
by MageCart is the U.S., while individual countries in Europe seem to
be the least affected, as the U.K. is in the lead with just 68 shops:

US (303)
Unknown (280)
IN (79)
UK (68)
DE (50)
AU (47)
BR (46)
FR (34)
IT (31)
NL (28)
CA (23)
ES (19)

The researcher provides in his post the full list of domains where a
credit card skimmer was detected. Payment info of those that shopped
on those sites between the provided time interval is likely
compromised. If the card has not expired, it would be a good idea to
check for account balance inconsistencies and ask the issuing bank for
a new one.